How to Collect and Analyze Data in Computer Forensics

¶ … burgeoning field of computer or digital forensics has multiple applications. As Carroll, Brannon & Song (2008a) point out, the two primary functions of computer forensics include data extraction and data analysis. As with other areas of forensics, methodologies in computer forensics include scientific methods of data collection, data preservation, and data analysis with ultimate goals of documentation or presentation in accordance with the needs and demands of the investigative team.

Although computer forensics is relatively new compared to other branches of the field, the methods whereby digital data can be collected and analyzed are systematic to ensure accuracy and validity. Computer forensics experts should become familiar with the latest operating systems for the purposes of data collection and preservation. For example, Carroll, Brannon & Song (2008b) note that Microsoft Vista's BitLocker provides encryption storage, which has direct ramifications on data extraction and collection by law enforcement.

It is also critical that forensics experts become cognizant of the legal protections provided to users and the subsequent legal constraints on data extraction from personal devices. Case law studies on computer forensics highlight some of the core constraints on data collection and its use in courts of law. Littlefield (2008), for example, presents transcriptions of witness interviews in which the process of data extraction and analysis depends on verbal corroboration from the witness. This type of procedures helps the data become more robust.

Researchers highlight the importance of regular training and updating of skills in using various operating systems and understanding system architectures to maximize the efficiency and accuracy of forensics procedures. It may be far preferable to engage a team of highly trained law enforcement personnel than to call upon outsiders and consultants for use in trials (Littlefield, 2008).

Case studies reveal the importance of taking into account different overlapping variables including where the files are located, when they were last created, edited, or saved, and how to access a computer's virtual memory for especially sensitive data. Carroll, Brannon & Song (2008) point out some of the problems inherent in analyzing and collecting large amounts of data, such as at the enterprise level. Copies of data must be made in accordance with chain of custody rules.

Forensics experts should never, according to Carroll, Brannon & Song (2008), except in extreme circumstances, work with the original copies of the material in order to preserve their integrity and maximize their potential use in court. Some of the core difficulties with working cases from large organizations or with large data sets is the way that information was created in the first place. Multiple users, using multiple machines, and various applications in the same project complicate the issue and can make the work of computer forensics especially challenging.

However, with effective indexing and other tools and techniques, forensics computer scientists can maximize the utility of large data sets. Effective data sorting and logging are also important to ensure the validity and reliability of forensic computer evidence. Moreover, researchers are pointing out the efficacy of different search algorithms and query functions that can help researchers extract the meat of the data they seek.

Forensic imaging is defined as "the process used to obtain a bit-for-bit copy of the data residing on the original electronic media obtained by law enforcement," (Newby & Carroll, 2008, p. 61). Using forensic imaging can enhance best practices in but also raises concerns about the accuracy.