Computer Forensics

views updated

Computer Forensics


By: Kim Kulish

Date: January 7, 2005

Source: Corbis

About the Photographer: This photograph was taken at the opening of the Silicon Valley Regional Computer Forensics Lab in Menlo Park, California, on January 7, 2005 by Kim Kulish, a photographer for the Corbis photo agency.


Computer forensics, also called digital forensics, is the systematic recovery of data from digital storage devices—computer discs, iPods, cell phones, digital cameras, personal digital assistants, and the like—for use in law enforcement.

This photograph was taken on the opening day of the Silicon Valley Regional Computer Forensics Lab (RCFL) in Menlo Park, California. The facility, which cost two million dollars, measures 17,000 square feet, and is located in a business park, employed eight dorensic digital examiners who were equipped with a wide array of tools for the extraction and decryption of information from digital devices. The Silicon Valley RCFL was the latest in a network of FBI-sponsored regional computer forensics laboratories across the U.S., with the others (as of 2006) being in Centennial (CO), Chicago, Dallas, Hamilton (NJ), Houston (TX), Kansas City (MO), Portland (OR), Salt Lake City (UT), Buffalo (NY), Dayton (OH), Philadelphia (PA), and Louisville (KY).

Each RCFL serves a specific geographic area and is jointly funded and utilized by the Federal Bureau of Investigation and the other federal, state, and local law enforcement agencies in the area that it serves. The National Program Office of the RCFL program states that "An RCFL is a one-stop, single service forensics laboratory and training [facility] devoted to the examination of digital evidence in support of criminal investigations and to the detection and prevention of terrorist acts." The Silicon Valley RCFL also function as a school training up to one thousand police officers a year in the proper collection and handling of digital evidence. Staff members of the facility may also participate directly in the physical collection of digital evidence, as in going to crime scenes or helping to execute search warrants. A typical RCFL is staffed by ten to twelve examiners, a director, and a secretary ("administrative support person").

The work of the RCFL facilities is distinct from the eavesdropping, decryption, and other computer-and communications-related technical activities carried out by the Central Intelligence Agency, National Security Agency, and other government agencies. The RCFL network is tasked to obtain evidence so that it that can be presented publicly in courts of law.



See primary source image.


Devices that store digital information have become ubiquitous in business, banking, personal communications, and daily life. They have therefore also become ubiquitous in crime. Criminals receive and send emails, both encrypted and in the clear, and store incriminating information on their computers; hackers break into computerized banking systems to steal cash or account numbers; the creation of computer viruses is an inherently digital crime; downloading child pornography is a crime that depends entirely on digital communications and storage devices; and so on.

Digital evidence, like all other evidence gained by intrusive means (property searches, wiretaps, etc.) can only be obtained legally in the U.S. and many other countries if a warrant has been issued or if the material can be acquired by police without searching private property or eavesdropping. (If a letter, optical disc, or hard drive is thrown out as trash, it is fair game for police to examine.)

Applications of computer forensics to real-world cases are numerous. In one notorious case, a woman who murdered a pregnant woman and stole the baby out of the victim's body was tracked by analyzing emails saved on the victim's computer. (The baby was recovered alive.) Often, digital devices or files contain more information than users are aware of, which may be used against them. In 2006, the Washington Post posted to its website a picture of a spam-generating hacker. The picture had been doctored to conceal the hacker's identity but the file contained "meta-information"—information about information, in this case information about the digital photograph—that revealed where it was taken, potentially leading to identification of the hacker by police or others. In Italy in 2005, computer records of cell-phone calls made in Rome were the basis for arrest warrants issued for nineteen C.I.A. agents allegedly involved in kidnapping a Muslim cleric: in the Italian cell phone system, each phone transmits a unique code that allows its location at the time to be determined later, sometimes with a precision of several yards. In 2005, the U.S. Justice Department subpoenaed records kept by the Google Corporation on billions of searches performed by Internet users, not as part of any particular investigation but in order, it said, to demonstrate the frequency of searches for child pornography. Google refused, fearful that demands for more sensitive information—such as which searches originated from which users—might be demanded next.

Countermeasures are available to those who are concerned that their data might be acquired by police. Although the police are equipped to defeat many forms of encryption, some publicly available encryption schemes, such as the Pretty Good Privacy public-key system, are reputedly quite difficult to crack. Misleading data can be planted for apparent discovery by investigators. Not storing incriminating data at all is a particularly effective way to defeat computer forensics, if it can be managed. Simply deleting files, however, does not protect them from recovery: a hard drive must be thoroughly wiped or physically destroyed to prevent recovery.

Like all law-enforcement tools, the methods of computer forensics can be used not only against criminals, but also against political dissidents. In some countries, such as China, digital forensics methods are used to jail persons who access pro-democracy web-sites. In 2005, the Internet company Yahoo! supplied computer records on Internet user activity to the Chinese government that helped it apprehend and jail at least two Internet users who criticized Chinese human rights abuses and corruption online.



Tsai, Alice. "Computer Forensics: Electronic Trail of Evidence." NHSCPA [New Hampshire Society of Certified Public Accountants] E-News. May, 2002. Available at 〈〉 (accessed March 23, 2006).

Web sites

"Silicon Valley Regional Computer Forensics Laboratory." Home page. 〈〉 (accessed March 23, 2006).

About this article

Computer Forensics

Updated About content Print Article