Computer Forensics

Computer forensics has become more apparent with the exponential increase in the number of cybercrimes and litigations in which large organizations are involved. It has become a necessity for organizations to either employ the services of a computer forensic agency or hire a computer forensic expert in order to protect the organization from computer incidents or solve cases involving the use of computers and related technologies.

It is commonly defined as the identification, extraction, preservation, interpretation and documentation of computer evidence, incorporating the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing an expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.


The overall objective is to detect a computer incident, identify the intruder, and prosecute the perpetrator in a court of law. With an increase in computer crime incidents, ranging from theft of intellectual property to cyber terrorism, the objectives of computer crimes are becoming more pervasive in nature.

The main objectives of computer forensics can be summarized as follows:

• To recover, analyze, and preserve the computer and related materials in a manner that can be presented as evidence in a court of law

• To identify the evidence in a short amount of time, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator


The methodologies involved in computer forensics may differ depending upon the procedures, resources, and Target Company.

Essentially, computer forensic methodologies consist of the following basic activities:

• Preservation: To preserve the integrity of the original evidence. The original evidence should not be modified or damaged. The forensic examiner must make an image or a copy of the original evidence and then perform the analysis on that image or copy. The examiner must also compare the copy with the original evidence to identify any modifications or damage.

• Identification: Before starting the investigation, the forensic examiner must identify the evidence and its location. For example, evidence may be contained in hard disks, removable media, or log files. Locating and identifying information and data is a challenge for the digital forensic activities. Several examination processes such as keyword searches, log file analyses, and system checks are common tactics to achieve this goal.

• Extraction: To identify the evidence, the examiner must extract data from it. Since volatile data can be lost at any point, the forensic investigator must extract this data from the copy made from the original evidence. This extracted data must be compared with the original evidence and analyzed.

• Interpretation: Understand and interpret what it has actually found. The analysis and inspection of the evidence must be interpreted in a lucid manner.

• Documentation: From the beginning of the investigation until the end when the evidence is presented before a court of law, forensic examiners must maintain documentation relating to the evidence. The documentation comprises the chain of custody form and documents remaining to the evidence analysis.


Field of Expertise

Our consultants will provide you with specific solutions tailored to fit your business requirements. We will very gladly attend to your questions. For more detailed information, please contact us.