Computer Forensics

Computer forensics investigation Training in computer forensics, or computer forensic science, gives law enforcement and private investigators the tools needed to recover evidence or files that have been deleted from a computer’s hard drive.  Many computer users believe that deleting a file destroys it permanently, however this is not true. The data has simply been moved to a different folder and is no longer available from the computer’s directory tree. The files still reside on the sector of the hard drive they were previously located, but now must be recovered utilizing special programs. Here are some of the tools and techniques police and private investigators use while attempting to recover lost or deleted files.

Computer Forensic Basics: How it Works
The job of recovering deleted files is an ever changing science that continues to grow as investigators meet new challenges such as encryption, damaged hard drives, and operating environments that use different file systems.  The common denominator in any file recovery operation begins with a text search of the hard drive. For example, if an investigator is looking for a name a program may search for the entirety or portions of that name that have not been completely wiped from the sectors of the hard drive.

Computer Forensics EtobicokeAnother technique for recovering deleted data is called file carving.  This  method involves searching data sectors on the hard drive for keywords  and file headers, for full or partial pieces of text, and filling in the missing words or numbers.  After deletion files can be partially written over, making file carving more difficult.  However, by searching for key phrases or numbers the investigator can recreate the rest of the file.  If someone is suspected of stealing information or data (such as a password list) by hacking into another computer, investigators specializing in computer forensics can search for key pieces of text to get the evidence needed to prove that the file(s) were on the computer and subsequently deleted.

Tools of the Trade
Specialized programs have been developed by computer security experts and forensic specialists to recover lost or stolen data.  These programs are customized for different platforms such as mobile device forensics and network forensics, and include memory scouring apps and network traffic history.

Among the tools used are software programs which can recover network communications such as chat logs, web history, email, and social networking info.  Some programs are only available to law enforcement agencies. One forensic program developed in Australia and used by 35 countries governments to extract evidence and information for later use in criminal proceedings. Other popular tools used by forensic investigators include specialized program for finding deleted history in browsers and a software program that is primarily used to extract information and history from cell phones.

Suspected crimes that require the use of computer forensics include data theft, child pornography, identity theft, and terrorism.  The use of computer forensics is becoming more and more important as the Internet has opened the doors to cyber-crimes.  Many times, the only way to prove a computer crime is to recover the deleted evidence.  Modern technology enables clever criminals to use computers for illegal purposes or to store encrypted evidence.  Computer forensic investigators face more challenging obstacles to isolate and locate this evidence, but they realize that the computers the criminals use for their crimes are actually evidence bombs.


Please contact us for a free consultation.