Nicholls Data Recovery, llc |
||||||||||
|
||||||||||
978-621-5477
jnicholls@nichollsdatarecovery.com |
||||||||||
Computer Digital Forensics |
||||||||||
Computer digital forensics is the science of obtaining and explaining information
found in computers and digital storage media.
There are three types of information that are held in a computer: The first is the user's data. Examples of this kind of information include the actual word processing documents, email text, photographs, music files, etc. The second type of information are the programs or applications that are used for manipulating the user's data. Examples of this include the web browser (e.g. Internet Explorer, Firefox and Safari) used to surf the web or Microsoft Word for creating and editing word processing documents. The third type of information is called "meta data" which is information about the stored information. Examples of this information include the date and time a word processing document was created, the internet address of the computer that sent an email message or even the location of where a photograph was taken. All this information (or "data") is stored in a computer and is usually stored on the computer's hard drive to save it between uses (this data is called "data persistence"). When data is still current, it is easy to find that data on the computer's disk drive. However, data is constantly changing on a computer and as a result, it is constantly being deleted and replaced. When the data is deleted through normal computer operations, that deleted data is usually more difficult to find, but not impossible. Deleting, erasing, replacing or over-writing data on a computer's hard drive simply marks it as "unavailable" to the program or application that the user used to manipulate that data. The data itself however is usually still physically present on the computer's hard drive. The use of tools (both software and hardware) and special techniques and processes usually allows computer forensic examiners to retrieve all three types of information whether or not that information is current or deleted. This is possible because these tools allow the examiner to bypass the normal operation of the computer and ignore the "unavailable" marks. When the recovered computer information is used in either criminal or civil proceedings, the special tools and processes used by the computer forensic examiner are paramount in whether that information will or will not be admissible as legal evidence in court proceedings. The tools and processes must viewed in light of the Daubert ruling (which comes from the 1993 Daubert v. Merrell Dow Pharmaceuticals case and relates to "expert testimony") before submitting the resulting computer forensic evidence. Thus it is important to hire a trained and certified forensic examiner when dealing with computer information in a legal setting. Nicholls Data Recovery is trained and certified as a CCFE (Certified Computer Forensics Examiner) by the IACRB (Information Assurance Certification Review Board) and CHFI (Computer Hacking Forensic Investigator) by the EC-Council The first consultation on forensic cases or forensic tasks is always free of charge. |
||||||||||
|
||||||||||
Nicholls Data Recovery, LLC P. O. Box 30, Gloucester, MA 01931 Joseph A. Nicholls, Principal jnicholls@nichollsdatarecovery.com |