Computer Forensic Consultants - Detective or Archiologist?

Computer forensics consultants rarely have to deal with crimes; the majority of their work is to provide a data recovery service, reconstructing data from the evidence that is left after whatever data catastrophe had occurred. Although a computer forensics consultant will often use methodologies that owe a great deal to criminal investigation, what he does can more closely be compared to archeology.

University of Phoenix allows students to earn their degrees and advance their careers.

In fact, the skills set that you need to become a computer forensics consultant is fairly similar to that required by a programmer and many programmers make the transition easily. You need to have logical thought processes, allied with an open and questioning mind. The major difference between the debugging process that programmers use and that of data recovery is that programmers are examining their own work, and understand the structures that they themselves have created, and computer forensic consultants are examining other people's work, and need to be able to follow other people's logic - not much different from understanding the working of a criminal.

Data Recovery as Forensic Science
The analogy with criminal investigation kicks in when you consider some aspects of investigations. Computer forensic consultants have to work quickly, evidence disappears fast, as normal system activity starts to overwrite data. The consultant's work itself can destroy data, so they have to be right first time.

Computer forensic consultants have to be really familiar with the systems they are working with, as a detective has to understand the community he is working in. Most forensic incidents are caused by people who have little experience with systems, and the damage they cause is relatively easy to understand, and somewhat crude. This is particularly true when dealing with virus and worm damage; understanding the actions of the virus plus a complete knowledge of the system it attacked means that damage can be mended, and confidence in the system restored.

Sifting Through the Layers of Data
So how does a computer forensic consultant actually do data recovery? There are a number of different actions that happen in a computer system that the consultant can use to help in the process. Log files allow a regular snapshot view of a system, so the consultant can use these to see what was recorded. However, if the damage was malicious, it's perfectly possible that the saboteur has tampered with the log, so logs have to be used carefully, and each part questioned.

Computer systems are composed of layers of software, each layer in place in order to make the actions of the computer closer to what can be understood by users. Although we "see" files, indexes, and attributes for a file, in fact the way that it is physically stored on a disk doesn't "look" like this at all. Deleting a file doesn't physically get rid of all the data immediately, it simply allows this space to be used to store other data as and when it is needed. Thus recovery is possible over a period of time, but the longer the time, the less complete the data.

Computer forensic consultants need to have as complete a knowledge of hardware, systems software and applications software as possible, and training is a major necessity, as is updating of this knowledge. Usually consultants require a degree in computer science, giving them the understanding of systems at all levels. Online courses can keep consultants aware of new developments, but in the end, experience hones the techniques that computer forensic consultants need to be successful.