Computer Forensics Software
Examiners use specific computer forensics software and hardware designed specifically with forensics in mind. Examiners must produce evidence that is admissible in court. To that end, examiners always have the ‘golden rule’ of computer forensics in mind – always preserve the original evidence. Thus, whenever possible, the first step in every computer forensic examination is to create an exact duplicate of the original media. This duplicate is referred to as an ‘image.’ The analysis is then performed on the image copy of the original.
Analysis of the media is done with the help of computer forensics software application suites. These forensic suites create and read image files and streamline the process of identifying files and information that are important to the case. Among their many capabilities, forensic applications can: search for text; identify and extract graphic files; undelete files; recreate the file structure for examination by directory or user; and execute specific scripts designed to search for a particular kind of file or data. Most important, these applications are designed to read an image file in a forensically sound manner by not altering the image files.