Computer Forensics The field of computer forensics was developed primarily by the police to investigate drug and financial crimes. It employs strict protocols to gather information on a wide variety of electronic devices, using legal procedures to locate the deleted files and hidden information.
Computer forensics tasks include capturing all the information on a specific electronic device using either a technical or legal copy by making an image of all or part of the apparatus. A legal copy provides an exact copy of hard drive or storage device. None of metadata, including the last access date is changed from the original. However, the copy is a liveversion, to access data on the copy, even just to see what is there, can change the meta-sensitive data.
However, what makes an image of judicial information required is an envelope of electronic protection around the entire collection. The collection can be accessed with special software, and documents can be opened, extracted from the collection, and examined without modifying the files or their metadata.
Other forensic tasks include the location and access to deleted files, searching for partial files, tracking Internet history, cracking passwords and detection information located in the game or unallocated space . Slack space is the area at the end of a specific cluster on a hard drive that contains no data, unallocated space contains the remains of files that were deleted but not erased from the camera as deletion simply removes the pointer to the location of a specific file on a hard disk, not the file itself.
Electronic Discovery
electronic discovery has its roots in the support area of civil litigation and deals with the organization of electronic files using their metadata attached. Due to the large volume encountered, these files are usually incorporated into a retrieval system to allow the litigation review and production in an easy methodology. Legal principles of data management are used, including the drafting rules and methods of production.
electronic discovery tasks typically begin after the files are captured. metadata file is used to organize and break down the collections. Documents may be examined in their native format or converted to TIF or PDF images to allow for easy editing and production.
Common capabilities, different philosophies
computer forensics and electronic discovery methods share some common capabilities. The first is the ability to produce an inventory of the collection, allowing reviewers to quickly see what is present. Another is the ability to determine a common time zone to standardize date and time through a collection of stamps. Without this standardization, a response by e-mail may appear to have been created before the original e-mail.