Technology is a daily part of our lives, making it more convenient. For the investigator, technology presents challenges as well as opportunities. Not only does a good computer forensics investigator need to have a pedigree of technical savvy in terms of certifications, background, skills, network, and a cadre of hardware and software investment; he/she needs to be well versed in identity theft and privacy laws. This being said, the smoking gun and its evidence usually can be found in the suspects’ emails, internet history, documents, or other files relevant to the crime.

Brief Overlook of Data Gathering and Commercial Use

Computer Forensics Investigators gather and preserve evidence from a computer device with investigative and analytical techniques for presentation in a court of law. Following the chain of evidence, just like in a murder mystery, to find who was responsible. Furthermore, these set of procedures isolate the devices in question to make sure the storage media is not contaminated intentionally or accidentally.

The original media is copied bit by bit, creating an identical digital “image” of the data while maintaining its original condition while the investigation is done on the digital copy. The investigators use various techniques and software to examine the copy, searching hidden folders and deleted, encrypted, or damaged files. Evidence found is documented within an Investigative Report, which is then verified on the original device.

Outside of law enforcement, Computer Forensics is used commercially to assist with a variety of circumstances such as:

  • Intellectual Property theft
  • Employment disputes
  • Invoice fraud often enabled by phishing emails
  • Forgeries
  • Inappropriate email and internet use in the workplace
  • Regulatory compliance

Computer Forensics Issues: Technical and Legal

Technical issues

Encryption–encrypted data makes it impossible to view without the correct key or password. When encryption is present, the examiner may need to make a ‘live acquisition.’ A live acquisition runs an application on a suspect computer to acquire data to the examiner’s data repository, such as a USB drive making changes to the original. Usually, making any changes to the original digital copy is not a forensic best practice, but it is often necessary to collect protected data. As long as the examiner can show his actions were necessary to divulge the consequences of evidence, it will still be admissible in a court of law.

Increasing storage space–Analysis systems require sufficient processing power and available storage capacity to search data efficiently.

New technologies–with evolving technology in hardware, software, and operating systems, no single examiner can be an expert in all. Therefore, it is crucial for computer forensic examiners to network and share knowledge with others in the field.

Anti-forensics– the practice of attempting to thwart computer forensic analysis – through encryption, over-writing data to make it unrecoverable, modifying files’ metadata, and file obfuscation (disguising files).

Legal issues

Legislative domains – Since data is often stored remotely on the ‘cloud,’ it may be in a different country and subject to conflicting laws and regulations, complicating legal acquisition and making it more expensive to collect.

Legal arguments – Legal issues can confuse or distract from a computer examiner’s findings. One example of this is the ‘Trojan Defense.’ A Trojan is a piece of computer code disguised as something benign but has a hidden and malicious purpose. Trojans have many uses, including key-logging, up/downloading files, and installing viruses.

A lawyer may argue that a user did not carry out actions on a computer but instead automated by a Trojan without the user’s knowledge. In such cases, a competent opposing lawyer supplied with evidence from a qualified computer forensic analyst should be able to dismiss the argument. A good examiner will have identified and addressed possible arguments from the opposing counsel during their report’s analysis and writing stages.


This article will try to give you a brief perspective of what computer forensics examiners do and how they use and gather the data, and briefly go over some of the issues involved. For more information and definitions, please see forensic control. Computer Forensics examiners can be in an attorney’s arsenal in gathering evidence to present in court. Do you have your go-to-investigator, and is his expertise court-worthy?