In general, a computer forensic investigator will use a tool in order to gather data from a system (e.g. a computer or computer network) without altering the data on that system. This aspect of an investigation, the care taken to avoid altering the original data, is a fundamental principle of computer forensic examination and some of the tools available include functionality specifically designed to uphold this principle. In reality it is not always easy to gather data without altering the system in some way (even the act of shutting a computer down in order to transport it will most likely cause changes to the data on that system) but an experienced investigator will always strive to protect the integrity of the original data whenever possible. In order to do this, many computer forensic examinations involve the making of an exact copy of all the data on a disk. This copy is called an image and the process of making an image is often referred to as imaging. It is this image which is usually the subject of subsequent examination.
Another key concept is that deleted data, or parts thereof, may be recoverable. Generally speaking, when data is deleted it is not physically wiped from the system but rather only a reference to the location of the data (on a hard disk or other medium) is removed. Thus the data may still be present but the operating system of the computer no longer “knows” about it. By imaging and examining all of the data on a disk, rather than just the parts known to the operating system, it may be possible to recover data which has been accidentally or purposefully deleted.
Although most real world tools are designed to carry out a specific task (the hammer to hammer nails, the screwdriver to turn a screw, etc.) some tools are designed to be multi-functional. Similarly some computer forensic tools are designed with only one purpose in mind whereas others may offer a whole range of functionality. The unique nature of every investigation will determine which tool from the investigator’s toolkit is the most appropriate for the task in hand.
As well as differing in functionality and complexity, computer forensic tools also differ in cost. Some of the market-leading commercial products cost thousands of dollars while other tools are completely free. Again, the nature of the forensic examination and the goal of the investigation will determine the most appropriate tools to be used.
The collection of tools available to the investigator continues to expand and many tools are regularly updated by their developers to enable them to work with the latest technologies. Furthermore, some tools provide similar functionality but a different user interface, whereas others are unique in the information they provide to the examiner. Against this background it is the task of the computer forensic examiner to judge which tools are the most appropriate for an investigation, bearing in mind the nature of the evidence which needs to be collected and the fact that it may at some stage be presented to a court of law. Without doubt, the growing number of both civil and criminal cases where computer forensic tools play a significant role makes this a fascinating field for all those involved.