| In general, a computer forensic investigator will use a | | | | out a specific task (the hammer to hammer nails, the |
| tool in order to gather data from a system (e.g. a | | | | screwdriver to turn a screw, etc.) some tools are |
| computer or computer network) without altering the | | | | designed to be multi-functional. Similarly some |
| data on that system. This aspect of an investigation, | | | | computer forensic tools are designed with only one |
| the care taken to avoid altering the original data, is a | | | | purpose in mind whereas others may offer a whole |
| fundamental principle of computer forensic examination | | | | range of functionality. The unique nature of every |
| and some of the tools available include functionality | | | | investigation will determine which tool from the |
| specifically designed to uphold this principle. In reality it is | | | | investigator's toolkit is the most appropriate for the |
| not always easy to gather data without altering the | | | | task in hand. |
| system in some way (even the act of shutting a | | | | As well as differing in functionality and complexity, |
| computer down in order to transport it will most likely | | | | computer forensic tools also differ in cost. Some of |
| cause changes to the data on that system) but an | | | | the market-leading commercial products cost |
| experienced investigator will always strive to protect | | | | thousands of dollars while other tools are completely |
| the integrity of the original data whenever possible. In | | | | free. Again, the nature of the forensic examination and |
| order to do this, many computer forensic examinations | | | | the goal of the investigation will determine the most |
| involve the making of an exact copy of all the data on | | | | appropriate tools to be used. |
| a disk. This copy is called an image and the process of | | | | The collection of tools available to the investigator |
| making an image is often referred to as imaging. It is | | | | continues to expand and many tools are regularly |
| this image which is usually the subject of subsequent | | | | updated by their developers to enable them to work |
| examination. | | | | with the latest technologies. Furthermore, some tools |
| Another key concept is that deleted data, or parts | | | | provide similar functionality but a different user |
| thereof, may be recoverable. Generally speaking, | | | | interface, whereas others are unique in the information |
| when data is deleted it is not physically wiped from the | | | | they provide to the examiner. Against this background |
| system but rather only a reference to the location of | | | | it is the task of the computer forensic examiner to |
| the data (on a hard disk or other medium) is removed. | | | | judge which tools are the most appropriate for an |
| Thus the data may still be present but the operating | | | | investigation, bearing in mind the nature of the evidence |
| system of the computer no longer "knows" about it. By | | | | which needs to be collected and the fact that it may |
| imaging and examining all of the data on a disk, rather | | | | at some stage be presented to a court of law. |
| than just the parts known to the operating system, it | | | | Without doubt, the growing number of both civil and |
| may be possible to recover data which has been | | | | criminal cases where computer forensic tools play a |
| accidentally or purposefully deleted. | | | | significant role makes this a fascinating field for all |
| Although most real world tools are designed to carry | | | | those involved. |