You’ve deleted a file on your computer. Do you think no one will ever find it? If you do, you are wrong, very wrong. The fact is, when you delete that file, you may never see it again, but the file still exists on the electronic media.

When a file is deleted, the initial process which occurs is that the first character of the file is changed in order to classify the file as deleted. At this point, the file is not accessible by the user. What happens from this point will vary depending on the location of the file. The file may exist in one form within one cluster of the media or it can be separated among multiple clusters on the media.

It will depend on whether other data is written to the cluster or group of clusters that the deleted file occupies, as to whether the file can be recovered forensically in a complete or partial state. This information is usually retrieved by a trained computer forensic specialist.

So, what exactly is computer forensics?

The definition of computer forensics is the technological, systematic inspection of the computer system and/or its contents for evidence or supportive evidence of a crime or other computer use that is being investigated. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.

The process of analyzing these files can be a very long, tedious process as most hard drives can have tens of thousands of files. A trained examiner will spend hours and days pouring through file after file in order to determine its value in the case. Sometimes, however, examiners will focus on merely recovering the data and presenting the data to the client/investigator. In this regard the examiner is merely doing a dump of the data on the media without any thought or consideration to what the client /investigator has asked for or what they actually need. There is a difference between an examiner who merely recovers and provides data and an examiner who actually examines the data and draws sound, appropriate conclusions about the data or activity of the user.

A properly trained forensic specialist will always look beyond what is reported, and will test and verify the accuracy of what the software reports, and will use the appropriate tools for the examination at hand.

More News >>