attached to a
hard drive Computer forensic investigations typically follow the standard digital forensic process, consisting of four phases: acquisition, examination, analysis, and reporting. Investigations are usually performed on static data (i.e.,
acquired images) rather than "live" systems. This differs from early forensic practices, when a lack of specialized tools often required investigators to work on live data.
Computer forensics lab The computer forensics lab is a secure environment where electronic data can be preserved, managed, and accessed under controlled conditions, minimizing the risk of damage or alteration to the evidence. Forensic examiners are provided with the resources necessary to extract meaningful data from the devices they examine.
Techniques Various techniques are used in computer forensic investigations, including: ; Cross-drive analysis : This technique correlates information found on multiple
hard drives and can be used to identify
social networks or detect anomalies. ; Live analysis : The examination of computers from within the operating system using forensic or existing
sysadmin tools to extract evidence. This technique is particularly useful for dealing with
encrypting file systems where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically. ; Deleted files : A common forensic technique involves recovering deleted files. Most
operating systems and
file systems do not erase the physical file data, allowing investigators to reconstruct it from the physical
disk sectors. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data. ;
Stochastic forensics : This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of
data theft. ;
Steganography : Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.
Mobile device forensics ; Phone logs : Phone companies typically retain logs of received calls, which can help create timelines and establish suspects' locations at the time of a crime. ; Contacts :
Contact lists are useful in narrowing down suspects based on their connections to the victim. ; Text messages : Text messages contain timestamps and remain in company servers, often indefinitely, even if deleted from the device. These records are valuable evidence for reconstructing communication between individuals. ; Photos : Photos can provide critical evidence, supporting or disproving alibis by showing the location and time they were taken. ; Audio recordings : Some victims may have recorded pivotal moments, capturing details like the attacker's voice, which could provide crucial evidence.
Volatile data Volatile data is stored in memory or in transit and is lost when the computer is powered down. It resides in locations such as registries, cache, and RAM. The investigation of volatile data is referred to as "live forensics." When seizing evidence, if a machine is still active, volatile data stored solely in
RAM may be lost if not recovered before shutting down the system. "Live analysis" can be used to recover RAM data (e.g., using Microsoft's
COFEE tool, WinDD,
WindowsSCOPE) before removing the machine. Tools like CaptureGUARD Gateway allow for the acquisition of physical memory from a locked computer. RAM data can sometimes be recovered after power loss, as the electrical charge in memory cells dissipates slowly. Techniques like the
cold boot attack exploit this property. Lower temperatures and higher voltages increase the chance of recovery, but it is often impractical to implement these techniques in field investigations. Tools that extract volatile data often require the computer to be in a forensic lab to maintain the chain of evidence. In some cases, a live desktop can be transported using tools like a
mouse jiggler to prevent sleep mode and an
uninterruptible power supply (UPS) to maintain power. Page files from file systems with journaling features, such as
NTFS and
ReiserFS, can also be reassembled to recover RAM data stored during system operation.
Analysis tools Numerous open-source and commercial tools exist for computer forensics. Common forensic analysis includes manual reviews of media, Windows registry analysis, password cracking, keyword searches, and the extraction of emails and images. Tools such as
Autopsy (software),
Belkasoft Evidence Center X,
Forensic Toolkit (FTK), and
EnCase are widely used in digital forensics. == Professional education and careers ==