Computer Forensics Defined

The term "Computer Forensics" was coined back in 1991 in the first training session held by the International Association of Computer Specialists (IACIS) in Portland, Oregon. Since then, computer forensics has become a popular topic in computer security circles and in the legal community. Like any other forensic science, computer forensics deals with the application of law to a science. In this case, the science involved is computer science and some refer to it as Forensic Computer Science. Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact.

Computer Forensics deals with the preservation, identification, extraction and documentation of computer evidence. The field is relatively new to the private sector but it has been the mainstay of technology-related investigations and intelligence gathering in law enforcement and military agencies since the mid-1980's. Like any other forensic science, computer forensics involves the use sophisticated technology tools and procedures which must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing. Typically, computer forensic tools exist in the form of computer software. Computer forensic specialists guarantee accuracy of evidence processing results through the use of time tested evidence processing procedures and through the use of multiple software tools, developed by separate and independent developers. The use of different tools which have been developed independently to validate results is important to avoid inaccuracies introduced by potential software design flaws and software bugs. NTI's computer evidence processing tools were intentionally developed by separate in-house software developers to deal with these potential problems because the accuracy of the results is extremely important. It is a serious mistake for a computer forensics specialist to put "all of their eggs in one basket" by using just one tool to preserve, identify, extract and validate the computer evidence. Cross validation through the use of multiple tools and techniques is standard in all forensic sciences. When this procedure is not used, it creates advantages for defense lawyers who may challenge the accuracy of the software tool used and thus the integrity of the results. Validation through the user of multiple software tools, computer specialists and procedures eliminates the potential.

The founders of NTI were essentially responsible for making computer forensics training courses and software tools available to non-law enforcement government agencies and Fortune 500 corporations and other businesses in 1996. They were also responsible for the creation of the first computer SCERS training courses at the Federal Law Enforcement Training Center (FLETC) at Glynco, Georgia in 1989 and the original computer forensics training and certification programs for The International Association of Computer Investigation Specialists (IACIS) in 1990.

The introduction of the personal computer in 1981 and the resulting popularity came with a mixed blessing. Society in general benefitted but so did criminals who use personal computers in the commission of crimes. Today, personal computers are used in every facet of society to create and share messages, compute financial results, transfer funds, purchase stocks, make airline reservations, access bank accounts and a wealth of worldwide information on essentially any topic. Computer forensics is used to identify evidence when personal computers are used in the commission of crimes or in the abuse of company policies. Computer forensic tools and procedures are also used to identify computer security weaknesses and the leakage of sensitive computer data. In the past, documentary evidence was typically stored on paper and copies were made with carbon paper or photo copy machines. Most documents are now stored on computer hard disk drives, floppy diskettes, zip disks and other forms of removable computer storage media. Computer forensics deals with finding, extracting and documenting this form of 'electronic' documentary evidence.