Since the invention of the personal computer not so long-ago, computer forensic evidence was unheard of.  Evidence was primarily limited to paper documents where copies were made with carbon paper or through the use of a copy machine. The invention of the computer has given criminals vast new avenues for committing crimes, such as corporate espionage, embezzlement, financial and record-keeping fraud, sexual harassment, misappropriation of trade secrets and so on.

Computers are now used in every aspect of life from creating e-mail messages, to accessing bank accounts, to browsing the internet. People use computers for all sorts of purposes, both good and bad.

Computers have the benefits of superior speeds along with high-speed Internet access. Computers have efficiently increased productivity in businesses but they also increase the likelihood of company policy abuses, theft of trade secrets, copyright violations, government security breaches, and have added a whole new type of criminal activity thus creating the Computer Forensic Investigator.

Computer Forensic evidence presents a unique and challenging situations for the Forensic Investigator. In addition to ensuring that the chain of evidence is maintained, the Forensic Investigator is required to have a sound knowledge of computers, computer components, and computer related equipment that could be evidence related.  The Forensic Investigator is also required to have comprehensive knowledge of all types of computer evidence recovery techniques that are forensically sound.

Computer related evidence can be found not just on the computer itself but in many other types of storage medium. Examples: hard and floppy drives, removable hard drives, tape drives, CD-ROM/DVD and optical drives, pen drives and the list goes on and on. 

The evidence files can be in plain view or deceptively modified, hidden, compressed, encrypted, deleted, or semi-erased conditions. In short, the Forensic Investigator needs to be technically prepared and aware of the different types of evidence and methods to employ in overcoming the possible conditions encountered.

Before performing any investigation on any possible evidence a Forensic Investigator will perform a forensically acceptable mirror image backup of the media (hard drive, floppy, removable drives, etc.) The forensic mirror image backup will copy each sector of the original media, including, data that is hidden, partially erased, encrypted, and all of the unused space.  Such data recovery provides a wealth of information, the data in unused space is usually beyond the reach and knowledge of most computer users. Thus, it is difficult to obtain this data and it is easily destroy without specialized computer forensics knowledge and the proper computer forensics software tools. The making of a mirror backup is simple in theory but the accuracy of the backup must meet forensic standards. Accuracy is essential and to guarantee accuracy, forensic backup programs rely upon mathematical CRC computations in the validation process. The CRC computations use the 128 bit MD5 algorithm which produces a 128-bit authenticator value which is more unique to that specific data than a fingerprint is to a specific individual.  An MD5 checksum verifies the data integrity by running a hash operation on the original source evidence data and the forensic mirror image data that was created, the values are compared. If the two values match, this indicates that the data has not been altered or tampered with, and its integrity may be trusted.

The Forensic Investigator will restore this backup onto a forensic lab computer for a forensic analysis, the original evidence will be secured away and the chain of custody will be maintained.

There are many different types of information recovery that the forensic investigator gets involved in. The following is just a short listing:

• Attorneys and prosecutors use computer evidence in a variety of crimes where incriminating documents can be found relating to: credit card and financial fraud, embezzlement, money laundering, copyright violations, homicides, drug abuse, and child pornography.
• Civil litigations can readily make use of personal and business records found on computer systems that affect credit card fraud, divorce, discrimination, and harassment cases.
• Family counselors sometimes recommend computer forensics specialists to their clients in support of: divorce discovery, computer hard drive sterilization, or just checking on what their children have been doing on the internet.
• Insurance companies may be able to mitigate costs by using computer evidence of possible fraud in accident, arson, and workman's compensation cases.
• Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, financial fraud, drug abuse, theft, unauthorized use of company resources, or misappropriation of trade secrets and other internal/confidential information.
• Law Enforcement Officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment.
• Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, age discrimination, divorce discovery, or just checking on what their children have been doing on the internet.