Computer forensics and mobile phone forensics is not about processing data; but about investigating people and their actions in relation to a computer or other electronic data processing or storage device. consequently looking to find and use information about what has happened to data as evidence to pinpoint fraudulent, dishonest or misleading behaviour in individuals
The forensic investigation of data held on mobile telephones, PDAs, laptops, PCs and other data processing and storage devices provides a valuable resource in litigation, and argument resolution, in many situations the recovery of deleted e-mails, and ‘hidden’ data, of which the computer user may be, and probably is completely unaware. For example, information encased in the computer file or cached to disk about the ordern of access and editing of a document, when and who by. This delivers new evidence that is often sufficiently powerful to short-circuit the whole argument.
There is a prevailing misconception in the minds of many that retrieving deleted data involves no more that restoring what is in the recycle bin or trash can. examination by computer forensics and mobile phone forensics requires far more than just copying files and folders from targeted computers or devices. Data from computers needs to be specially imaged to produce an exact copy showing the data stored within.
Three meaningful points to ALWAYS remember with all electronic data storage devices, including computers and mobile phones
1. Computer evidence must be SECURED quickly to reduce the risk that it might be destroyed, accidentally or deliberately
2. If the device to be investigated is discovered powered off, DO NOT SWITCH IT ON
3. If the device to be investigated is discovered powered on, DO NOT SWITCH IT OFF
Recovering deleted or slightly overwritten data is technically challenging if the resulting evidence is to be relied upon in litigation. Most IT departments have not had the training or investment in appropriate hardware and software to attempt this without compromising the data.