ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Uses of Computer Forensics

Updated on February 19, 2014
krsharp05 profile image

Kristi graduated from the University of Kansas with a degree in Human Development and Developmental Psychopathology of Children.

┬ęcopyright ALL RIGHTS RESERVED 2012

Personal Storage Devices
Personal Storage Devices | Source

Catching A Cyber Criminal

The vocation of cyber forensics encompasses many different duties. Defined in the most basic manner, computer forensics is the analysis of information that has been constructed and stored within a computer system, in the interest of solving any alleged criminal activity that may have occurred with the use of the specific apparatus being analyzed. Probable cause would allow the for the apparatus to be taken into custody if an officer or trained person of reasonable caution believes that a crime has been, is being or is about to be committed.

Forensic data is not the type of information that is readily available, contrary to what you see on LA LAW and CSI. Hollywood makes criminal forensics seem very futuristic and glamorous with lasers and innovative machinery. In Hollywood they perform the most amazing tests and within seconds - voila! Crime solved! Unfortunately, it often takes hours of tedious research to find the real answers.

Digital Forensics: Portable Tableau
Digital Forensics: Portable Tableau | Source

Cyber Growth

Forensics investigations are most often used to refute or support a supposition during civil, criminal and corporate litigation. Digital forensics may also be used in the private sector by companies who are undergoing internal investigations into unauthorized technical and network transgressions.

The specialized aspect of an investigation is sub-categorized into four main areas; computer forensics, network forensics, database forensics and mobile device forensics. The actual physical process includes obtaining evidence, forensic imaging, analysis and reporting evidence.

Ram Memory Drive
Ram Memory Drive | Source









Radio Tactics Aceso


The earliest known uses of computer forensics goes back to as early as 1970. US military and intelligence agencies employed computer forensic techniques in counterintelligence measures however, specific details are classified.

Before 1980, crimes that involved digital intelligence were handled with existing laws. The next ten years saw an eruption of of crimes being committed using digital technology. Legislature was passed to deal with the issues of copyright, privacy, harassment, cyber bullying, cyberstalking, online predators and child pornography. The US Federal Computer Fraud and Abuse Act was passed in 1986.

It wasn't until 1992 that the United States recognized computer forensics as a necessary and legitimate discipline in criminal investigation though it had been used informally and not for criminal or civil litigation purposes. The new challenge became developing a discipline of standardization for seizure, preservation and the analyzation of evidence by trained experts to ensure that all evidence is factually based on their own expert knowledge, that all testimony given will be the product of reliable formulas and processes and that the witness applies such formulas and processes reliably to the facts of the case.

The Patriot Act signed by President Bush in 2001 ( included efforts to eradicate terrorism through the use of cyber forensics. Section 814 specifically addresses cyber terrorism.

Cryptic Hash Algorithm Functions

SHA-1 is a secure hash algorithm designed by the NSA (National Security Agency)

MD5 is a secure hash algorithm that is also used. It's more conservative design came from MIT (Massachusetts Institute of Technology).

Forensic Process

  • The first stage of the forensic process is to acquire a forensic duplicate of the media or intelligence often using a device which will prevent any alteration of the original. Both the original and the duplicate are "hashed" and the values are then analyzed to ensure the replicas are accurate and exact.
  • Once the investigator has acquired evidentiary material they will need to begin analysis using many techniques and devices. Evidence may be apparent but may have gaps in which the forensic detectives must fill by using their forensic processes. The procedure may involve the use of conducting keyword searches within files or slack space (the unused space in a disk cluster), recovering deleted files and withdrawing registry information such as user accounts or attached USB devices. The evidence is then used for reconstruction purposes and then finally put into a written report.


One considerable limitation is the use of keyword encryption which disrupts examination where evidence may be stored but is inaccessible. Laws to disclose encryption keys are in their earliest phases and are still controversial.


Computer forensics is most commonly known in criminal law but also has applications in private investigation and corporate investigation. Outside of the criminal realm, computer forensics might commonly be used to ensue unauthorized network intrusions or identify a network attack or hacker.

The primary focus of computer forensics is to recover evidence of criminal activity. The legal term is: Actus reus in legal parlance. There is an assortment of data within digital devices that is beneficial to other areas of inquiry.

  1. Attribution: Meta Data can be used to incriminate specific actions to an individual.
  2. Alibis and Statements: Information provided may be checked with digital evidence such as mobile phone statements for date and time stamp proofing.
  3. Intent: Objective evidence is data that can be used to prove mens rea (intent) if the internet history shows incriminating evidence such as search terms: How to poison with arsenic, or How to kill people.
  4. Evaluation of Source: File artifacts and meta data can be used to determine where the data was generated. It identifies whether or not the file was designed on the computer being evaluated or if it came from another source. The problem with source evaluation is that you can affect the file dates by simply changing computer clock times. This has been highly debated in trial. Fortunately, it's not a strong enough argument to suspend evidence in nearly all cases.

Result of Failed Data Recovery
Result of Failed Data Recovery | Source

Types of Forensic Data

  • Active Data is the information that we can see such as files, programs and anything that would be used by the operating system. It is the easiest type of information to obtain.
  • Archival Data is data that has been backed up and stored on CDs, disks, back-up tapes or entire hard drives. This information requires a bit more work and know-how to retrieve.
  • Latent Data is the material that requires specialized equipment to access such as information that has been deleted or partially overwritten. Latent data is the most difficult and time consuming type of information to collect.
  • When collecting data for forensic purposes it is important that devices are collected and information is harvested as early as possible in order to prevent information from degraded or being destroyed.

Common Mistakes

  • Using your own internal IT Staff to conduct a computer forensic investigation.

If your staff is not trained on evidentiary procedures and if they do not follow the chain of custody and all accepted evidence techniques, any information collected may not be recognized in a court of law.

  • Waiting until the last minute to perform a computer forensics exam.

Computer forensics depends largely on the ability to authenticate information. The data is considered extremely delicate and degrades very easily. The longer this type of evidence is allowed to corrupt, the more difficult and costly it will be to recover. In computer forensic analysis the rule of thumb is that if there is even a negligible chance that forensic evidence will be necessary, analysis and imaging should be done immediately.

  • Limiting the scope of analysis.

You may want to limit the cost of your analysis however, it's impossible to know which system or systems have been attacked or which contain evidence. Additionally, processors will not know where to look for evidence and will need to do a complete scan of all data and systems.

  • You're not prepared to safeguard digital evidence.

Regardless of the size of your company, you should, at all times, be prepared to secure electronic and digital evidence. Your employees should know and properly exercise correct file deletion laws. Additionally, many corporations overwrite their own backup tapes. Recently a company was fined 1,000,000 for that very practice. Ooops! They quickly hired an IT team that worked with their new legal team and they were able to install an new preservation order.

  • Selecting a sub-standard forensic organization

Do your homework and make sure that your forensic analysis provider is capable and qualified. They must be certified computer forensic investigators and be using tools that are acceptable for the environment and which collect data which is recognized as evidence. They must have the ability to serve as an expert witness and be a trusted advisor. They must follow accepted protocols and handle different systems and hardwares. They must be able to handle a variety of forensic collection and analysis situations. They must provide references and comply with The Department of Justice practices in their lab.


    0 of 8192 characters used
    Post Comment
    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      7 years ago from Born in Missouri. Raised in Minnesota.

      Shyron, Thank you for taking the time to read and respond. I'm sorry to hear that you've had such a hard time with your identity and the white pages. It sounds like you have been through an odyssey! I appreciate your input. Thanks! -K

    • Shyron E Shenko profile image

      Shyron E Shenko 

      7 years ago from Texas

      Hi krshar[05, this is an interesting hub, but there is a lot going on that is not written about here. i.e. some search engines are putting out info that they have no right to. Long ago people had to pay to get their telephone listed in white pages, now you have to pay to keep it out.

      One search engine said "You can Opt Out of having them show personal info so I called because they put out a lot of false information on me and I don't want any. They said I would have to send a copy of my driver's license and pay them to unpublish the wrong information but if I wanted to correct the information I could do that for free.

      Voted up, interesting.

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      Tamara, thank you for reading and commenting. You are definitely the IT woman. I know by reading your hubs that ANY and ALL IT questions should be passed by you. You're exactly right, CF companies are often hired by businesses to maintain systems at all times. I appreciate your input. Glad to have you here. -K

    • tamarawilhite profile image

      Tamara Wilhite 

      8 years ago from Fort Worth, Texas

      Computer forensics are also used in the workplace. Did someone email proprietary files, whether on purpose to sell the information or accidentally? Has someone broken IT policy by installing freeware software or put company licensed software on a personal device? Computer forensics are often used in the business world.

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      I'm fascinated with all aspects of criminal forensics and this particular avenue is macabre at times. One of the most famous cases where computer forensics was used is the BTK killer. Thanks for the great discussion Sid!

    • SidKemp profile image

      Sid Kemp 

      8 years ago from Boca Raton, Florida (near Miami and Palm Beach)

      Hi KR: I see what you are saying - I was picturing the data after it had been seized. A properly stored hard drive in a secure lockup is pretty stable.

      But, even there, the opportunity to investigate the *meaning* of the stored data might degrade. Say we seize the computer early, but there is a delay before investigation. Then the investigation points to an avatar on the Internet. But that avatar was abandoned 3 months ago. It will be very hard to trace the person behind it. 3 months earlier, the forensic data investigation might lead to catching a criminal still using an avatar.

      Some case studies - real ones, not CSI - would be interesting, wouldn't they?

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      Sid, I'm glad you asked! Just turning on your computer changes caches and temporary files and slack space files which can all be veritable treasures for forensic techs. It's also impossible to know if meta-data has been altered, damaged or destroyed by opening, printing or saving files. Everything I read about computer forensics said that electronic evidence naturally degrades over time regardless of it's housing and more so when used on a regular basis. If you have more information that I can add, I would love to have your input! Thank you for reading and commenting. It's always nice to hear from you. -K

    • SidKemp profile image

      Sid Kemp 

      8 years ago from Boca Raton, Florida (near Miami and Palm Beach)

      Fun article. I'm an ex-computer techie and a CSI junkie, so this was a fun read. I could enjoy this work, if I wanted to launch a new career. One thing I'm curious about: What exactly is meant by the idea that "the data is very delicate and degrades very easily." Clearly, that is not true of the bits on a hard drive. So, in what way does computer forensic data degrade? (Maybe a topic for another hub?)

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      dmop, thank you for reading and for your input. You're exactly right. The technology is there and it can be pricey. It's all about timing. Great to hear from you. -K

    • dmop profile image


      8 years ago from Cambridge City, IN

      I found this article very interesting. I know that there is lots of software out there that helps eliminate traces of what a computer has been used for, though I'm sure none of it is 100% effective. I do know that retrieval even after meager attempts at removal or deliberate corruption is very expensive. Great Hub, voted up and useful.

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      Lindacee, it's like a race between brilliant minds! Nice to hear from you, thank you for reading. Keep your cyber security system turned on - you never know who is sneaking in.. lol! -K

    • lindacee profile image

      Linda Chechar 

      8 years ago from Arizona

      I just learned something about a subject of which I knew very little. With technology and the criminals who use it advancing at such a rapid rate, cyber forensics techniques must quickly evolve to stay one step ahead of the bad guys. Voted up and interesting!

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      Simone, computer forensics is becoming a lot more controversial. The legal community is at constant odds about time stamping issues. You're right, it is very controversial. Thank you for reading and commenting -K

    • Simone Smith profile image

      Simone Haruko Smith 

      8 years ago from San Francisco

      It seems like computer forensics is becoming more important (and contested, not to mention controversial) every day! It's great to have learned a bit more background about the field. This will help me better understand current debates on the issue.

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      leah, after doing the research, I learned so much more about something I already love. This is such a great experience. Thank you for reading and commenting. I appreciate your words of wisdom. -K

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      ha ha ha, I will put in my application! thank you for reading and commenting. good to hear from you -K

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      kashmir, thank you for your comments. It's a fascinating field. I appreciate your vote and thank you for sharing.

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      Mhatter, thank you for stopping by. As always, it's a pleasure to see you!

    • leahlefler profile image

      Leah Lefler 

      8 years ago from Western New York

      Wow - I had never heard of cyber forensics, but this is a really fantastic hub! I love your explanation of limitations and common mistakes - such as using your own IT team to perform an investigation. I love this one, krsharp05!

    • Om Paramapoonya profile image

      Om Paramapoonya 

      8 years ago

      I have to agree with spaetucusjones' comments. I've learned a lot more accurate information about computer forensics from this hub than from the CSI shows! Maybe they should hire you to be their new scriptwriter LOL

    • kashmir56 profile image

      Thomas Silvia 

      8 years ago from Massachusetts

      Hi krsharp05, WOW this is so very interesting and fascinating information . Thanks for helping me learn more about computer forensics,well done !

      Vote up and more !!! SHARING !

    • Mhatter99 profile image

      Martin Kloess 

      8 years ago from San Francisco

      Thank you for this fascinating information

    • krsharp05 profile imageAUTHOR

      Kristi Sharp 

      8 years ago from Born in Missouri. Raised in Minnesota.

      lol, so true Spartucus. Thank you for reading. It's a fascinating field but not as flashy as they make it look on the homicide shows. -K

    • spartucusjones profile image

      CJ Baker 

      8 years ago from Parts Unknown

      Very comprehensive and well explained hub! Definitely a more accurate portrayal of computer forensics than what we get through Hollywood.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)