Incidentally, the science behind computer forensics really isn’t much different from the science between crime scene forensics. In both instances, the forensics team or expert is looking for a trail of evidence. In either case, the investigator looks at what has happened, determines how it happened, and from that, deducts who might be responsible.

The major difference between the two is that, while an investigator on the scene of a robbery or a violent crime is looking for physical evidence, the computer forensics investigator is looking for digital evidence.

Interestingly, where physical evidence can often be misleading, confusing, ambiguous, and difficult to put together without the help of witness statements, digital evidence tends to present itself in a much more direct manner.

A computer keeps logs of pretty much everything that has been done with it. For example, besides your browser history, there’s also your temporary internet folder, where information from the web is stored on your computer. So, say an employee is watching Youtube all day when they’re supposed to be working. Even if they’re smart enough to clear the browser history, the temporary internet files may still hold the evidence that will earn them a warning.

That’s only a very simple example, of course. Computer forensics addresses everything from computer crime to employee misconduct, to such mundane tasks as figuring out why your virus scanner isn’t working.

The point is that everything you do on a computer leaves a mark. Deleting a file from your hard drive is not same thing as deleting all the evidence that it was ever there. Just as every room in your house holds some DNA evidence, be it a hair, saliva, or a toenail clipping, no matter how well you vacuum and shampoo your carpets, there will be some evidence that this is your home. The same goes with computers. You can’t do anything on a computer without a computer expert being able to figure out exactly what you’ve been up to.

One issue that many find confusing with regards to computer forensics … how legal is it, really?

This depends on the context. Here’s all you need to know if you’re considering hiring a computer forensics team, but aren’t sure if you can:

If you suspect an employee of breaking company policy or even breaking the law with a computer that belongs to the company, you do have the right to take a look at the computer they’ve been working any time you like.

It gets a little trickier when an employee is working on their own computer. This isn’t a dead end, but it may be a little trickier. Luckily, you don’t always have to look at their computer to find evidence of what they’ve done on their computer. In any case, go ahead and call your forensics people, and they should be able to advise you on how far you can go to gather the evidence you need in order to take action.

Really, computer forensics is simply the art of finding a trail of evidence on computers, simple as that. You never know when you’ll need such services, so it’s a good idea to keep them in mind in case you ever do.

Technorati Tags: Newbie hacking