ForenSec, Ltd.
Veritas Vincit. Truth Conquers.SM
  |Home| Privacy Statement 

What is Computer Forensics?

Myth: Delete means delete.

Reality: A common misconception by computer users involves the belief that deleting a file on a computer workstation means it is purged from the computer. This is rarely true. Hitting the delete button may remove the file from view, but the data lingers intact and often recoverable for a period of time. Even emptying the recycle bin or trash does not accomplish a purge of the data. Files deleted by the user are merely marked by the operating system (Windows, MacOS, Linux, etc.) as deleted, but the data itself persists. In a library, cards in a card catalog point to each book in the stacks. This is similar to computer files, where an entry in a disk catalog points to the data on the disk (or other media). In the library, if you remove the card pointing to the book, the book is still on the shelf, but more difficult to find. Similarly, when a file is deleted from a computer, the computer only removes the pointer, but leaves the data, just like removing the card but leaving the book on the shelf. Computer Forensics is the science of using technology to recover the data, and the art of finding hidden data.

Computer Forensics also includes preserving chain of custody and maintaining integrity of computer evidence, and then presenting the recovered data in a format understood by the client, whether the client is an attorney, a corporate officer, or a private party.
Find Evidence