|
 The use of computer forensics continues to play an ever increasing role in the discovery and recovery of electronic evidence in both civil and criminal matters. With the growing reliance on electronic information for business and personal use, electronically stored information (ESI) is becoming more critical and relevant as evidence in our legal system and during internal investigations.
Both active and deleted data stored on electronic media are processed during a forensic investigation. Active data is data that is currently accessible to a person using the computer or device. Some of this data may be hidden by the operating system or displayed in a hard to read format. However, this data is readily available. Most deleted data whether deleted by the user or the operating system may still physically reside on the device. Through the user of specialized forensic software and hardware this information can likely be recovered and analyzed.
The forensic process begins with ensuring that a proper chain of custody is maintained for all evidence. This includes recording detailed documentation related to the collection and acquisition of electronic media in a forensically sound manner.
|