Computer forensics has become a very important factor of criminal investigations. Since computers have become mainstream the need for a science that will deal with the technology has become an issue for the judicial and legal system. Some of the areas computer forensics may be utilized are:
§ Copyright infringement
§ Industrial espionage
§ Money laundering
§ Piracy
§ Sexual harassment
§ Theft of intellectual property
§ Unauthorized access to confidential information
§ Blackmail
§ Corruption
§ Decryption
When the investigator finds a computer that may hold evidence, they first create an exact image of the drive. This prevents any inadvertent damage to the system. The clone image is important because more than 160 alterations are made to files when a computer is turned on which can change or delete important evidence.
Several events take place on a computer when a file is changed. A file status maker is set meaning their space is now available. But even though you have deleted the file, it stays in the same spot and is called free or unallocated space and is available until the whole space is written over by another file. The computer forensic specialist may retrieve the data until it is written over by the new file. Another place for information to hide is called slack space, meaning, sometimes information being stored in an area will not use all of the available space in the designated spot and the unused portion becomes the slack space.
The science of computer forensics has given a great benefit to attorneys. In many cases, the computer forensic evidence has made the difference in winning and losing. It is a scientific and reputable form of evidence gathering.
Reference: Steen, Susan and Hassell, Johnette. Computer Forensics 101. Electronic Evidence Retrieval, LLC. October 2004.