The Evolution of Computer Forensics

Since the World Wide Web revolution in 1991, there has been significant growth in the use of computers, internet, e-mail, and recently cell phones for committing financial fraud and other criminal activities.
Computer Forensics evolved during the last two decades as the main tool in the application of computer investigation techniques to gather e-evidence suitable for presentation in a court of law. The goal is to perform a structured investigation to find out exactly what happened on a computer and/or other electronic devices and who was responsible for them. The Internet history, web-based email, lost or deleted files, are examples of data the fraud investigator can utilise as evidence in his engagement.
There are some unique aspects relating to computer forensic investigations compared to investigations looking for evidence in the form of paper works.

Paperwork vs. Electronic Evidence
Up until when paper-only discovery was used, forensic accountants and lawyers asked for and received truckloads of paper documents, sometimes brought in from distant places. Their strategy involved finding evidential matter in the form of paper work that would help them prove a matter of fact.
Strategies did not change much since then but the nature of evidence in the form of e-evidence did. E-evidence in our days may fill supertankers if it were to be printed because now many more transactions are computerised than before. Moreover, people nowadays use computers and other electronic devices at work for personal use as well, and therefore much more information is stored electronically.
In our digital world people, including fraudsters, leave digital footprints of their activities from which their actions and intentions can be revealed. Digital evidence comes in many forms, including the hard drives found in personal computers, external drives, telephones, smart phones, personal data assistants, surveillance cameras and telephone voice mail systems.
The amount of information left in each of these devices often proved to be the basic reason that sufficient relevant evidence was collected and financial fraudsters and other criminals were caught and found guilty in a number of known cases. In some, fraudsters thought they had destroyed their digital trails by deleting the relevant files, but this did not prove to be the case.

Deleting a file is not so easy
Modern computer forensic software can find or retrieve evidence much sooner than in the “old days” where the process could take many days. Deleting files from hard drives is not so easy; deleting is in fact a misnomer. Choosing the “delete” option erases the file’s reference from the directory, but it does not erase the file until it is overwritten entirely.
Furthermore, businesses have disaster-recovery systems that perform automatic backups. Therefore, even if a particular file was never saved or it was deleted shortly after it was created, it might still be retained on multiple backup media. Most files usually contain metadata, additional data about original data that can provide the investigator with important relevant information.
When files and messages are saved, modified or sent, computer software automatically creates artifacts or metadata. Normally this information cannot be changed. Most times metadata includes information about the date the document was created, who created the data, when it was modified, etc. This may prove to be important e-evidence to be used in court because metadata can be as revealing as a fingerprint.
When Enron declared bankruptcy in December 2001, much of the investigation relied on computer files and their metadata as evidence. A specialised team of forensic accountants, computer forensic experts and lawyers began to search through hundreds of Enron employee computers and were able to find important e-evidence that was used in court.