Thank you, ma'am, for your reply.
Computer Forensics is best explained via an example:
Let's say that you are a Law Enforcement Officer (LEO) and you are called into the scene of a shooting. At the scene, some guy is facedown on the ground, bled out, with blood soaked into his shirt. Beside him is a 1911A1, hammer back, with three 45ACP shell cases laying about. There are several witnesses gathered at the scene. Many of them are pointing to one other man and saying "He did it!". The accused man loudly procaims he had nothing to do with it. He says that there was another man, who shot the victim and then fled. As the LEO, you take statements from all persons present, and since there are several good citizens pointing to the accused, you take him into custody until the matter is worked out.
Now come the forensics:
1. Autopsy the victim. Did he die of Gun Shot Wounds (GSW)? Can you recover slugs from his body? Any powder burns? What was the angle of the shot? The distance? Does he have Gun Shot Residue (GSR) on his hands? Who is he? Any DNA records of him in the national db? Prints?
2. Test the firearm. Do test slugs match the slugs recovered from the victim? Does the spent brass match the chamber and slide backstop? Are there any remaining unfired rounds in the mag? Do they match? Who owns the firearm? Is there a record of manufacturor test slugs? Do they match? Fingerprints on the rounds, firearm and magazine? Who do they match?
3. Lots more, esp about the scene and the accused, but you get the idea.
Now let's do the same for a computer crime.
Someone hacks into Boston's web site. They create an account on that server and begin to send threatening mail to the President Elect. It appears that Boston is now threatening the new President. It is obvious from network transmission records that the threats came from Boston's computer. He is arrested and prosecution begins.
The Forensics
1. Image (take a digital copy of the hard drive) the hacked server. We never work on original media since merely touching that media contaminates it- sort of like picking up the firearm and shooting it a couple times!
2. Take a memory (RAM) image. This allows us to see any live IP connections that may be used to "backdoor" control Bostons machine- making it merely appear as if Boston was the bad guy.
3. Take any copies of network traffic recordings (trace files or pcaps) that recorded network activity during the time of the incident. This allows us to replay the crime- sort of like a VCR records video.
4. Examine local logs and remote routing logs. This does the same as #3 above.
5. Examine witnesses. Verify whereabouts, etc.
6. If there are leads that point to a member of Rom Emanuel's staff, perform the same forensic exam on that person's computer, looking for artifacts and matches.
So... In a nutshell, computers are often used in criminal enterprise. Just like the firearm in our shooting example, the computer has what is called "artifacts" that once analyzed, allow us to reconstruct what happened. That discipline is called Computer Forensics.
