Data from computer systems, networks, wireless communications, and storage devices may need to be collected and analyzed in the course of a criminal investigation. The collection and analysis of data for this purpose is called computer forensics. The process of computer forensics encompasses both IT and specific laws to ensure that any data collected is admissible as evidence in court.
Depending on the country, illegal computer or network usage may include:
- Identity theft
- Using a computer to sell counterfeit goods
- Using pirated software on a computer or network
- Using a computer or network to create unauthorized copies of copyrighted materials, such as movies, television programs, music, and video games
- Using a computer or network to sell unauthorized copies of copyrighted materials
This is not an exhaustive list.
Two basic types of data are collected when conducting computer forensics procedures: persistent data and volatile data.
Persistent data - Persistent data is stored on a local drive, such as an internal or external hard drive, or an optical drive. When the computer is turned off, this data is preserved.
Volatile data - RAM, cache, and registries contain volatile data. Data in transit between a storage medium and a CPU is also volatile data. It is important to know how to capture this data, because it disappears as soon as the computer is turned off.