Gordon Pelton discussing computer forensics Computer Forensics One   COMPUTER                                     COMPUTER     FORENSICS                                    SCIENCE                       EXPERT  WITNESSES Providing computer forensics and expert witness services to attorneys, law enforcement, business and individuals. Offices in the San Francisco Bay Area and in the North Lake Tahoe area. Serving San Francisco and the San Francisco Peninsula, San Mateo, San Mateo County, Palo Alto, San Jose, Santa Clara, Santa Clara County, Fremont, Oakland, Alameda County and the East Bay Area, Walnut Creek, Concord, and Contra Costa County, Oakland, Berkeley, Pleasanton, Livermore, and Alameda County, Sacramento, Central California, Northern California, Lake Tahoe, Reno, Nevada and all surrounding communities.   Introduction to Computer Forensics Introduction to Computer Forensics     Gordon Pelton's forty-two page book, Introduction to Computer Forensics, will soon be available at Amazon.com and from other online book-sellers. Computer Forensics Almost any document, email message, graphic image, or any audio or video recording could be evidence of value to law enforcement or to the legal or business community. These days, even if such items are not actually created on a digital computer, they may be stored there. Digital evidence, then, is evidence that is stored in digital devices -- devices such as a computer’s random access memory, hard drive, floppy drive, printer or other attached equipment. Evidence might be found in mainframe computers, minicomputers, PCs, laptops, notebooks, hand-held PDAs, and even in digital cameras and digital telephones. Computer forensics is the process of recovering digital evidence.   Digital evidence may include a letter or an entire database of information. It can include financial reports or personnel records, email or voice-mail, a list of personal phone numbers or a list of recently visited Internet sites. A picture or other graphical image might also be evidence. Digital versions of audio or video recordings that have evidentiary value might also be stored in a computer.   Additionally, information generated by the computer’s operating system or by any of its application programs may be evidence. For example, computer operating systems such as Windows maintain logs and other files containing administrative data and information regarding events that occur during processing. Such files could contain the name of the person using the computer, the time the computer was started and the time of last use. They might even contain a record of the installation and/or execution of particular programs that reveal the activities and suggest the intent of the computer user at a particular time.   Once information is stored in a computer it is not easily deleted. Most people think that deleting a computer file erases the information contained in the file. This is not usually the case. Furthermore, most people don’t know that a computer keeps a record of system events and of many of the user’s activities, that copies of files can be scattered throughout a disk during processing, or that web browsers dutifully record a history of internet sites visited. Most people don’t know that copies are kept of both incoming and outgoing email (often in more than one computer), or that the computer’s print buffers may contain many pages of information even after printing is complete.   Generally, all of this information and much more are still there in the computer even after diligent attempts to erase or destroy it. And if it’s there, a computer forensic examination will find it. To assure that digital evidence is neither contaminated nor simply ruled inadmissible, it is imperative that the examination be executed in a forensically sound manner using forensically sterile media.     Such precautions require the services of a trained computer forensics expert. If you have evidence recovery requirements, please contact us. We would like to talk with you about them at no obligation to you.