What Is Computer Forensics and Forensic Recovery of Electronic Evidence?

National Police Training
June 15, 2012 — 1,312 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

In criminal cases, evidence needs to be meticulously collected and categorized in order to ensure the greatest possible accuracy when it comes to hypothesizing how the crime was committed. In the past, this meant DNA sample bags, fingerprint dust and other collection devices. However, the rise of the internet and electronic crime has prompted the formation of an entirely new field of crime documentation - computer forensics.

Large corporations base their electronic infrastructure on information systems and networks, and they also store private information on physical or cloud servers. This could be anything from bank statements to email correspondence. This is a high-level target for hackers and other cyber criminals, and is usually secured through a series of firewalls and encryptions. In addition, this can be difficult for the prosecution to procure in a criminal setting, because electronic evidence may have been deleted or hidden in extensive sub-directories and folders.

This is part of the reason metadata is so important. Any network administrator or IT professional should be familiar with this concept. Law enforcement officials must also be aware of their ability to request metadata files during evidence collection.

In its most basic form, metadata essentially describes a different file in a short, concise summary. For example, consider a JPEG file that was created in Microsoft Paint. The metadata tag associated with this image would contain information on hard drive space, the color range and the image resolution, along with user statistics like when it was created and which username logged the entry.

Law enforcement personnel who wish to extract metadata from a hard drive or cloud server must be aware of their legal restrictions - namely, that they have none. The National Institute of Justice (NIJ) calls metadata the "DNA" of electronic evidence because every computer has it, and therefore any investigator has a right to access it.

As it is possible to have "meta-metadata" (information about metadata itself), forensic analysts might need certain tools to piece together all of the evidence. The NIJ offers several software programs designed to extract metadata from critical files.

For instance, the Enhanced Metadata Analysis Tool allows users to initiate a text query rather than visually comparing each individual piece of metadata. This could be incredibly useful when searching thousands of JPEG images or other massive databases.

National Police Training