Forensic computer science deals with the preservation and processing of computer evidence. Forensics is basically applying science to the evidentiary process. In the case of computer evidence, the science is computer science and the evidence is data stored in any number of forms on a variety of computer storage media. Some have likened computer forensics to the autopsy of a computer. Precision and accuracy are essential in the processing of computer evidence, and this cannot be achieved without using the right set of tools. To do otherwise would be like trying to do brain surgery with a pocket knife.
Law enforcement agencies are woefully underfunded. This is especially true regarding computer evidence and related technology issues. It is tough enough for law enforcement management to pay salaries and keep a fleet of vehicles running in these tight budgetary times. However, computer evidence is here to stay, and every law enforcement agency will have to deal with computer evidence issues in time. The good news is that the price of computer technology is at an all-time low. An adequate setup that meets the minimum requirements for most small law enforcement departments can be purchased for under $6,000. This includes both computer hardware and software.
It is important to preserve computer evidence and safely transport the seized computer to a secure location so a bit stream backup can be made of all computer media. This is required before processing the evidence to avoid triggering potential destructive processes that may have been planted in the computer by the crooks. It also avoids the accidental overwrite of data stored in the form of erased files, in the Windows swap file and in file slack. To process computer evidence without making bit stream backup of the "best evidence" is playing with fire. You are going to get burned badly at some point. The catch is that you must have the proper tools before the evidence can be backed up and processed.
The price of computer hard-disk drives has dropped substantially over the past year. As a result, forensic computer specialists are encountering large volumes of potential data stored on huge hard-disk drives. To put this in perspective, 10 years ago, a 20 megabyte hard disk-drive was considered standard. Today, it is not uncommon for a desktop computer to have multiple hard-disk drives with storage capacities exceeding 2 gigabytes (GB) per drive. For those unfamiliar with these terms, a 20 megabyte hard-disk drive has the capacity to store approximately 20 million characters of data. A 2GB hard-disk drive has the capacity to store approximately 100 times that capacity. To make matters worse, from a computer evidence standpoint, 5GB hard-disk drives are now available and will surely find their way into police evidence lockers.
These small storage devices are not much bigger than a deck of cards, but they have the potential of storing the content of hundreds of thousands of printed pages. For these reasons, plan on spending some money on computer hard-disk drives and storage media.
Even after making a bit stream backup, processing should rarely be done on the seized computer. To do so could subject the seized computer to excessive wear and tear. Your worst nightmare might involve your expert testimony in court about how you came to break the subject computer. To avoid living this nightmare, always plan on restoring bit stream backup, made from the seized computer, to a law enforcement computer. A lightning fast computer is normally not required. With the exception of some specialized automated fuzzy logic forensic tools, most forensic software tools operate quite nicely on lower-end Pentium-based computers or the equivalent, e.g. Pentium 133MHZ to 150MHZ. However, plenty of storage capacity is a requirement, and it is also a good idea to buy at least 64MB of Random Access Memory (RAM) to ensure that you