Computer forensics is an area of science that deals with computer crimes such as illegal computer hacking, the forging of software, creating viruses, fraud, embezzlement and child pornography. Computer crime does not only refer to computer and laptops but also mean anything that contains chips that are able to store and process data records such as mobile phones, video recorders, cameras and fax machines. The majority of computer crimes committed concern home PC's.

Choose one of the following to read more:

•   File deletion
  •   In the RAM
  •   Finding without loss
     
•   Encryption
  • Symmetric encryption
  • Public key encryption
  • Decryption

Some criminals believe that deleting a file means that it is gone forever, however, it does not remove it off a disc, it merely renames the file to hide it from the user. On the hard disk, deleting a file from the drive and even after emptying the recycle bin, will still allow a chance of recovery. When the file is deleted, the area of space previously used by the file is simply marked as 'deleted', but until data is further stored there and the area is written over, the original file stays on the hard drive. More advanced criminals are aware of glitches in this security system and prefer to use more advanced ways of hiding files such as encryption and securely deleting programs to ensure that their incriminating data stays hidden. The quick erase functions of cd-write programs do not fully erase the disc either and data physically remains on the cd.
 

Computer systems contain memory to speed up the running ability of programs. The storing of data on a random access memory chip (RAM) makes programs respond quicker, as there is more memory. The computer operating system makes the RAM's work very difficult, as it is constantly swapping seldom used data from the RAM to a hard disc, which is much slower but contains a much higher storage volume. Undergoing this process creates a file called a 'swap file' and even if a file is completely deleted, it is possible that it may still exist inside the swap file. It does not remain there forever, as each time the computer is turned on and utilized, new files replace some of the existing old files in the swap file and everything is moved around. This evidence can be invaluable.
 

Because swap files are altered each time the computer is switched on, it presents investigators with a problem. Any evidence existing on a computer's hard drive may be erased when the computer is switched on for investigation. Forensic scientists have overcome this problem with a simple solution involving equipment that can completely copy the computers contents without turning on the machine. Investigators then examine all of the information that is on the copy without the risk of destroying the data. This method also prevents the accusation of evidence tampering and allows personnel such as lawyers, to access the evidence and attempt at self-analyzing the RAM for verification.
 

Because almost anybody can access data once it has been sent over the internet, computer users often encrypt data using a form of code. The study of cryptography has brought about two main systems of encoding which computers use, respectively asymmetric encryption (also known as public-key encryption) and symmetric encryption.
 

As there is a key to open/lock a door, there is also a key (or code) to decode/encode a message. Symmetric encoding uses one key to encode the message and uses this same key to decipher it. This means both the computer sending the message and the computer receiving the message must have a copy of the same key code, thus the term 'symmetric' encryption.
 

The asymmetric encryption (public key encryption) system uses two different keys. One to encode the message and the other to decode the message. The key used to encode the message is known as the public key, while the code used to decrypt the message is the private key, known only to the recipients themselves. The private key corresponding to the certain public key must be used to decipher the data.
 

Unfortunately, there is no direct way to describe a method of decryption that forensic scientists can use in computer forensics. Particularly when data is encoded using public key encryption, finding the type of public key used and the clues for its corresponding private key, depends largely on the luck of this information having been stored on a separate disc or recorded in some way, for example, on the hard drive of the computer used for encryption. Experience and time both pay off during a decryption process, which will vary in accordance to the effectiveness/security of the encryption code.