Computer Forensic Techniques


In modern society computers have taken a central position in many aspects of human lives. Computers are used in education, banking, communication, transport, security, administration and many other spheres of life. Similarly, crimes involving computers and computer application have also increased together with the advancement of the computer technology. This has necessitated the establishment of a branch of forensic science to deal with this emerging form of crime. This branch is what is now referred to as computer forensic.

This branch of forensic science deals with the collection and analysis of digital information with the aim of providing evidence that will assist in solving a crime (Craiger, 2006). There are various computer forensic techniques. The major ones include; cross drive analysis, live analysis and deleted files recovery. These techniques are discussed inside the paper. There are also various categories of computer forensic evidence.

Three broad categories have been covered in this paper. These are; mobile devices, network forensic and database forensic. In order to ensure that evidence gathered through computer forensic techniques is admissible in court, there are certain considerations that must be adhered to. These considerations have also been addressed herein.


Computer forensic is a branch of forensic science that mainly deals with computer evidence (Craiger, 2006). Computer forensic techniques involve examining digital media with the aim of preserving, recovering or analyzing forensic information. Since late 20thcentury computers have become prominent in very many spheres of life. Through computers criminals can now gain access to people and organization sensitive information, know about people where about and monitor people’s movement with ease.

This has made the computer a target for many crimes such as fraud and hacking. The computers have also provided a media through which criminal activities such as underage pornography, cyber stalking, rape kidnapping and murder are made easier to commit (Carson, 2010). Computer forensic techniques does not only involve examining computer crimes but are also used to provide evidence for other forms of crimes. This was made possible in 1980 when digital evidence became admissible in court. Since then computer forensic techniques have been used as sources for providing evidence for crimes committed.

Computer Forensic Techniques

1. Cross-drive Analysis

This is a forensic technique that involves analysis of information found on multiple hard drives (Garfinkel, 2006). This is a relatively new concept and is still under research. The main idea behind this technique is trying to correlate information located in different hard drives in attempts to identify social networks and detect anomalies. Anomalies in computer forensic setting refer to patterns that do not conform to normal behavior in a given data set. Detection of anomalies in data can provide basis for an investigation.

There are different techniques that can be used in detecting anomalies. This are; distance based anomaly detection techniques (K-nearest neighbor algorithm, local outlier factor), one class support vector machines, replicator neural networks and cluster analysis based outlier detection techniques (Garfinkel, 2006). Anomaly detection techniques are applied to detect fault, fraud and intrusion in a given set of data.Distance based anomaly detection techniques can utilize the K-nearest neighbor algorithm or the local outlier factor (Garfinkel, 2006). The K- nearest neighbor algorithm is a pattern recognition technique that classifies objects based on the closets neighbors.

By analyzing patterns based on the K-nearest algorithm anomalies in a data set can be detected. Local outlier factor on the other hand identifies anomalies by comparing the local density of a point with the local density of a point’s neighbors.Support vector machines are logarithms that analyze data and recognize patterns (Garfinkel, 2006). Support Vector machines identify anomalies by determining possible classes of each input data. Therefore, vector machines identify can be termed as non-probabilistic binary linear classifier.

Replicator neural network is an anomaly detection technique that identifies anomalies by replicating the neural networks involved in processing a particular data set. Identifying anomaly using cluster based techniques involves putting each data set into clusters defined by certain characteristics and identifying the data set that deviate from the cluster(s). There are different methods of clustering data and the best method to use will be determined by the type of data you are analyzed and the objectives of your analysis.

2. Live Analysis

Live analysis is a computer forensic technique that is used to examine computers from within the operating system (Hay, 2009). This technique utilizes sysadmin tools or custom forensic to extract evidence from within the computer operating system. This technique is especially useful in recovering volatile data such as information stored in the RAM. There are sets of information that are unrecoverable before powering down a computer and this information is lost after power is removed. Live analysis technique is used to recover information lost in this manner. This technique analyses the RAM for prior content even after powering down the computer. This is usually possible since electrical charges stored in memory cells usually take time to dispel.

Through Live analysis techniques the length of time after which data will still be recoverable is prolonged by lowering temperatures and using higher cell voltage.Apart from solving problems associated to volatility of data, line analysis is also useful in analyzing problems associated with encryption, anonymity and unsupported file system (Pearce, 2005). A criminal act may take place and the offender has used an encrypted file such as partitions, files, email or instant messaging communication. Line analysis forensic technique comes in handy in providing access to this type of data.

3. Deleted Files

Avery important technique in computer forensic is recovering deleted files. Many people may attempt to cover up criminal acts by deleting incriminating digital information or completely destroying it. Computers carry large amount of data that can provide information about the computer user. This data may also be stored in digital forms such as floppy disks, hard disks, Bernoulli cartridges, CD- ROM, CD-R, DVD and magnetic tape (Berryhill, 2010).

Incrementing evidence that may be located in such files include; financial records, emails, pictures, movies, sound files, word documents and spreadsheets. Modern forensic has developed software with tools for recovering or carving out deleted information. File curving is a technique that involves recovering data by searching for file headers in the disk image and reconstructing deleted materials.

Recovery of deleted data by forensic software is possible due to the process involved in deleting files from a computer (Berryhill, 2010). Computer data are never permanently deleted. Once a given set of data is stored in the computer it is written on the computer hard disc space. When these files are deleted, the computer is only informed that the space the files are located in is free but the files are not actually removed from the computer. When another set of data is saved in the computer, this data is overwritten in the space that was previously occupied by the deleted files.

Recovery software are able to identify and reconstruct the files that are overwritten on in the computer hard disc space. The same process also applies to digital data storage devices such as; compact discs, DVDs and flash disks. In a criminal case the computers and digital storage devices are seized during law enforcement and arrests. Permission to conduct forensic recovery of data may also be granted by the individual owner of the computer or storage device or an organization or permission may also be granted by the court.

Categories of Computer Forensic Evidence

1. Mobile Devices

Computer forensic evidence can be placed into three broad categories; mobile devise forensics, network forensics and database forensics (Jansen & Ayers, 2007). Mobile forensics is involved with analyzing, recovery and reconstruction of digital evidence from mobile device. In most cases mobile devise will refers to the mobile phones but may also encompass devices with internal memory and ability to communicate. High tech mobile technologies have proliferated in the mobile market resulting in increase of mobile devices related crimes.

The amount and type of data that can be carried and conveyed using mobile devices has also increased with time. Information transmission through mobile phones may be through traditional applications such as SMS and MMS to more modern applications such as emails, chats and other wireless networks (Jansen & Ayers, 2007). Computer forensic techniques are employed to recover data transmitted through these mobile devise applications. In some countries, governments retain telecommunication data for purposes of investigations.

This are such as calls received, calls dialed and location of a mobile devise. Seizures of digital mobile devices are regulated by the same laws as other digital devices. Today most mobile devices use application similar to computers and therefore computer forensic techniques used in analyzing data from common computers would also apply to the mobile devices. There are other computer forensic techniques that are specific to mobile forensic data acquisition. These are; physical acquisition, logical acquisition, manual acquisition, external memory, internal memory analysis, flasher tools, chip re-balling and forensic desoldering

2. Network Forensic

This branch of computer forensic involves analyzing and monitoring computer networks in order to gather evidence or detect anomalies (Moore, 2010). Since data within networks are quickly transmitted and lost, network forensic deals with very volatile and dynamic sets of data. Network forensics techniques are usually employed to identify network intrusion or interference. Criminals mostly target networks carrying sensitive information such as bank accounts, credit cards accounts among others and may cause damage to the compromised host by deleting or changing information.

The growing use of the internet means that information today is shifting to network based transmission from digital devices based. Two forms are mainly used to collect network forensic data; (1) “catch-it-as-you-can” which involves capturing and storing all information passing through a particular traffic for subsequent analysis and (2) “Stop, look and listen” which involves analysis of information while still in traffic and saving only certain identified information for future analysis.

3. Database Forensic

Database forensic is a branch of computer forensic that is concerned with analyzing databases and related metadata (Moore, 2010). Database forensic may aim at examining transaction within a database or in identifying evidence of wrong doing such as fraud Read only software such as idea, ACL and Arbutus are mainly used in database forensic analysis. This software provide audit logging capabilities which is a good source of documented proof of the tasks and analysis used by the forensic experts. Databases may also contain cached information in the RAM and therefore line analysis techniques may also be required in database forensic analysis.

Considerations in Computer Forensic

The greatest aim of computer forensic is to collect information that will help prevent or punish a crime .When using computer forensic techniques in gathering forensic evidence there are various key considerations that one must make before embarking on the process. One of them is protecting the integrity of the information.

Which ever technique one is using to recover or analyze data it should not alter or change any part of the data or else the data will not be admissible in court (Berryhill, 2010). The second consideration is legal and social responsibilities. It is important to observe all the legal and social requirements before you employ any computer forensic technique. These are such as search warrants, social values and principles and confiscation approvals.

While conducting computer forensic analysis the forensic expert is required to document findings in the most convincing manner. The forensic expert may document findings in reports, copies of data and photographs. While presenting computer forensic evidence in court the forensic report must include details about the hardware examined, the procedure used and the software employed and also should entails notes about the findings of the analysis.


Computer forensic science has become an increasingly important field as the computers take over all aspects of our lives. Due to our dependence on computer for many of our functions, these devices have become target for crime. Computer forensic is responsible for recovering and analyzing digital information with aim of coming up with adequate forensic evidence. This paper has discussed the various types of computer forensic techniques, categories of forensic evidence and consideration that forensic experts should make when gathering forensic evidence.


Berryhill (2010). Electronic Evidence Recovery and Analysis. Retrieved on March 3, 2011, from

Carson A. (2010). Basic Computer Forensic Techniques. Retrieved on March 4, 2011, from

Craiger P. (2006). Computer Forensics Procedures and Methods. Retrieved on March 4, 2011, from

Garfinkel S. (2006). Forensic Feature Extraction and Cross-Drive Analysis. Retrieved on March 4, 2011, from

Hay B. (2009). Live Analysis: Progress and Challenges. IEEE Security and Privacy, 7 (2), 30-37

Jansen & Ayers (2007). Guidelines on Cell Phone Forensic. Retrieved on March 4, 2011, from

Moore L. (2010). Tools and Techniques for Network Forensics. Retrieved on March 4, 2011, from

Pearce C. (2005). Computing Forensics: A Live Analysis. Retrieved on March 3, 2011, from