Computer forensics and mobile phone forensics is not about processing data; but about investigating people and their actions in relation to a computer or other electronic data processing or storage device. Therefore looking to find and use information about what has happened to data as evidence to pinpoint fraudulent, dishonest or deceptive behaviour in individuals
The forensic investigation of data held on mobile telephones, PDAs, laptops, PCs and other data processing and storage devices provides a valuable resource in litigation, and dispute resolution, in many cases the recovery of deleted e-mails, and ‘hidden’ data, of which the computer user may be, and probably is completely unaware. For example, information embedded in the computer file or cached to disk about the sequence of access and editing of a document, when and who by. This delivers new evidence that is often sufficiently compelling to short-circuit the whole dispute.
There is a prevailing misconception in the minds of many that retrieving deleted data involves no more that restoring what is in the recycle bin or trash can. Analysis through computer forensics and mobile phone forensics requires far more than just copying files and folders from targeted computers or devices. Data from computers needs to be specially imaged to produce an exact copy showing the data stored within.
Three key points to ALWAYS remember with all electronic data storage devices, including computers and mobile phones
1. Computer evidence must be SECURED quickly to reduce the risk that it might be destroyed, accidentally or deliberately
2. If the device to be investigated is discovered powered off, DO NOT SWITCH IT ON
3. If the device to be investigated is discovered powered on, DO NOT SWITCH IT OFF
Recovering deleted or partially overwritten data is technically challenging if the resulting evidence is to be relied upon in litigation. Most IT departments have not had the training or investment in appropriate hardware and software to undertake this without compromising the data.