The Computer Forensics Process

Computer forensics is a term used in reference to the processes applied in the course of a criminal investigation. On most occasions, detectives are required to follow a specified code of conduct, which calls on them to preserve, identify, extract, interpret, and document all proof available on computer devices. This implies that the practice can be approached from different aspects and is not restricted to a single procedure (Nelson, Phillips & Steuart, 2009).

From a layman’s perspective, the concept can be defined as the scrutiny of information present in and formulated by computer systems, most often done with the purpose of establishing an occurrence, the time it happened, location of the event, and the persons responsible for perpetrating the same. It should be noted that recovered data may not be interpretable by average users of computer devices. Recovered data are diverse in nature, including erased files and fragments existing in spaces reserved for stored files. Since it is a complicated process, a unique set of tools and skills is required to retrieve the information. It should be noted that the process was initially carried out as a reaction to certain events (Nelson, Phillips & Steuart, 2009). This has changed, and the process is carried out on a continuous basis while monitoring electronic media.

Before the process is analyzed, it should be noted that three types of data are handled. The most common among these are active facts, archival information, and latent records. Active data refer to easily obtainable information that is visible to the human eye. Some of the programs that are up for inclusion include drivers on which the operating system is anchored and other records. Special tools are required before one can access latent data. This is because the term is used with reference to erased or partially altered data. Lastly, data that have been stored in the different storage media available for use is referred to as archival data. Included among these tools are archive tapes, computer drives, including hard and floppy drives, computer disks, and much more.

On all occasions, forensic investigations should be undertaken by trained specialists. While the process is ongoing, it is permissible to use licensed materials only. This ensures the legitimacy of the evidence is preserved, thereby maintaining its admissibility in a court of law. Foremost, the location of all items involved in the process is determined. This facilitates the creation of a custody chain to ensure the safety of the materials.

A register for all the relevant information is then formulated. All forms of data may be included in this directory. All possible efforts will be employed in a bid to recover erased information. Encrypted data sets will also be branded, in addition, to all materials and procedures geared to conceal data (Nelson, Phillips & Steuart, 2009). It should be noted that operations will be structured in a way that maintains the integrity of the original data as much as possible. This is achieved by duplicating the original data and authenticating it against the original data source.

The third step entails sourcing for other sources of data as stipulated by the state of affairs. In order to establish accurate information, a number of starting places can be observed, for example, proxy firewall resisters, and sign-in catalogs among others. This heralds a fourth stage, in which the data is studied and deciphered in a bid to distinguish possible evidence. It should be noted that exculpatory and inculpatory evidence is admitted and studied. In extreme cases, password-protected, and other encrypted files are cracked to find more information.

In the fifth stage of the process, the client is issued with a written report, detailing the findings and other relevant comments from the investigator. This is closely related to the sixth and last stage, in which the investigator testifies in a trial as an expert witness. This process may be unnecessary if legal avenues are not pursued by any of the parties involved (Nelson, Phillips & Steuart, 2009).

Nearest Regional Computer Forensics Laboratory and courses offered

Being a native of Michigan, the nearest computer forensics laboratory to me is the Chicago-based facility. This counts among the facilities receiving congressional funding and has been placed under the local FBI office. It was a logical choice since the city is centrally placed and has a large office of the investigation bureau, which has had an active department that was dedicated to combating cybercrime. It is notable that this lab is majorly focused on combating cybercrime. Other services offered include analysis of evidence from digital devices, including MP3 players, cell phones, and video cameras among others. It has been reported that the mentioned items are often used in the course of crime perpetration. Some of these crimes include fraud, theft of intellectual property, and underage pornography (Regional Computer Forensics laboratory, 2010).

The facility also provides training to citizens in the entire Midwest on acceptable methods of handling digital evidence and confiscating computers. It should be noted that this training is reserved for law enforcement agents interested in pursuing the same. Among the courses on offer include; processing digital evidence; training on image scan; decrypting data using forensic tool kits; Internet forensics using a toolkit, among many more (Regional Computer Forensics laboratory, 2010).

All in all, it should be noted that authorities take up forensic practices in a bid to get proof of misbehavior or disobedience to the law. It targets the retrieval of proof on the abuse of computers in ways that could result in arrests of the offenders.


Nelson, B., Phillips, A. & Steuart, C. (2009). Guide to Computer Forensics and investigations. New Jersey, NJ: Cengage Learning.

Regional Computer Forensics laboratory. (2010). Available Training Courses. Chicago RCFL. Web.

Find out your order's cost