Computer Forensics

There’s no denying the fact that computers have become commonplace in today’s society, and just like paper and notebooks, what’s stored on computers can be considered evidence in a criminal trial. However, because computer data can be so volatile, how can investigators compile evidence from a suspect’s files, let alone be sure that their interactions with it isn’t changing the data? Well, Judd Robbins, a computer scientist and expert in computer forensics tells HowStuffWorks.com a little bit about what must be done with data that’s planned to be used in court against its owner:

1. Secure the computer system to ensure that the equipment and data are safe. This means the detectives must make sure that no unauthorized individual can access the computers or storage devices involved in the search. If the computer system connects to the Internet, detectives must sever the connection.
2. Find every file on the computer system, including files that are encrypted, protected by passwords, hidden or deleted, but not yet overwritten. Investigators should make a copy of all the files on the system. This includes files on the computer's hard drive or in other storage devices. Since accessing a file can alter it, it's important that investigators only work from copies of files while searching for evidence. The original system should remain preserved and intact.
3. Recover as much deleted information as possible using applications that can detect and retrieve deleted data.
4. Reveal the contents of all hidden files with programs designed to detect the presence of hidden data.
5. Decrypt and access protected files.
6. Analyze special areas of the computer's disks, including parts that are normally inaccessible. (In computer terms, unused space on a computer's drive is called unallocated space. That space could contain files or parts of files that are relevant to the case.)
7. Document every step of the procedure. It's important for detectives to provide proof that their investigations preserved all the information on the computer system without changing or damaging it. Years can pass between an investigation and a trial, and without proper documentation, evidence may not be admissible. Robbins says that the documentation should include not only all the files and data recovered from the system, but also a report on the system's physical layout and whether any files had encryption or were otherwise hidden.
8. Be prepared to testify in court as an expert witness in computer forensics. Even when an investigation is complete, the detectives' job may not be done. They may still need to provide testimony in court [source: Robbins].

Source: http://computer.howstuffworks.com/computer-forensic2.htm

With all of this though, there are anti-forensics programs that can be used to hide files and hamper investigative efforts. Some programs can change the headers in a file, making it seem like another type of file (which is much more subversive than just changing the file extension to fool people; the computer would still know its original file type from the header). Intensive encryption algorithms also help to slow down access to a specific set of files, taking it longer for programs to crack the code. Changing metadata (information relevant to when a file was created, accessed, etc.) is also possible, and it’s also a way for anti-forensic activities to take place.