Data recovery aids police investigations. The demand for electronic evidence is widely growing and is increasingly being accepted in the court rooms. Criminals who are also computer users are frequently leaving evidence on the computers rather than on paper. For example:
- The theft and sale of sensitive data by an employee are done through computers only.
- Criminals are maintaining their diaries on the computers. Analysis of the hard disk reveals the workings of their mind.
- Computers are used to launch attacks on computer networks and destroy data and bring businesses to a crippling halt.
- Terrorist plans of attacks are stored on personal computers and news of the attack is first revealed on the internet.
Gathering such evidence that leads to the solving of criminal cases is the work of computer forensic analysts. These analysts acquire data from the computer media, preserve, analyse and present facts.
Information Available on the Computer
There are different kinds of information available on the computers- known, unknown and hidden information.
The open or known information is the user-generated data like files, graphic files and documents, user application software like spreadsheets, word processors etc. This easily available data is first analysed. But what actually interest the forensic analyst are the files that are deleted. The mere act of their deletion raises their suspicion. The existence of this information is unknown to the user though it exists in the computer till fresh data is rewritten on it.
Sometimes data is deliberately hidden by encrypting it. When the investigators come across such data they utilise the services of an expert in cryptography. But, if the encrypted data is difficult to access, the court can order the suspect to make available the key for encryption.
Working of Computer Forensic Analysts
Computer forensic scientists first analyse the situation. This analysis is required to define the scope of their investigation. Forensic specialists are asked to recover emails, passwords and files.
And it is always possible to retrieve emails sent months back; for, between the sender and the receiver many copies of the emails are made at every stage in the transit. But reading emails stacked over months or years is a voluminous task. To make their investigation more effective computer forensic scientists analyse the situation and have clear and specific knowledge of the case details and information.
After an analysis of the situation they concentrate on acquisition of data. Acquiring data is done with care. Evidence might be lost if power is switched off. Every act of acquiring and analysing the data is clearly documented by affixing the time and date of recovery and getting it signed by the investigation officers. This documentation is necessary for computer forensic analysts are often called to defend their findings in the court. Another issue of great importance is the preservation of the acquired data. It is vital that data that is acquired is not changed in any manner. A mirror copy of the hard drive is created and ensured that the copy is accurate.
The third step is analysing the acquired data. Data analysis is never attempted on the original.
Finally, computer forensic analysts present their findings in a logical sequence. Analysts do not make suggestions but only restrict themselves to the presentation of the case and certify that the facts are authentic.
The acquisition, analysis and presentation of facts lead to the solving of the case. Once the facts are no longer relevant they are destroyed for the recovered data is often sensitive.
Computers have greatly replaced papers. Users are leaving behind a wealth of information stored on it. They feel that deleting confidential information wipes it out completely. They are unaware of the fact that it actually exists in the computer and can be easily retrieved.
The information that can be reclaimed is analysed and the facts are presented. Evidence thus garnered helps police solve many cases.
The importance of data recovery in forensic investigation is growing by the day. The only factor limiting its growth is the shortage of skilled personnel.