What Is Forensic Software?
Forensics is the method of gathering information and examining data on a past occurrence which can then be used in court as evidence. In the computer world, forensic software basically does that – gather data from computer systems or networks during an investigation or audit.
Like the tools and methods used in criminal investigations, this software helps information technology security personnel gather information required by the task at hand. It can be to find out who has been deleting or copying confidential data from a corporate database or has been spreading malicious applications resulting to system crashes.
Also during criminal investigations, it is always desirable to leave the scene of the crime untouched and uncorrupted to get a more accurate scenario. The same goes for this software. It must be able to gather the data from the system being investigated without altering the system in any way. This is the most basic feature of any forensic software so they are designed and developed to follow that principle. In reality, however, it might be almost impossible not to alter the system during data gathering. Even the shutdown process, which is required before a computer can be transported, causes data changes because it’s an event that the system must log as part of its function.
To preserve the integrity of the original system, one common practice employed by computer forensic investigators is called imaging or ghosting. Imaging is the process of copying or cloning the system to a separate hardware most probably with the same specifications. Investigation can then be done on the clone, keeping the data on the original system intact and unchanged.
Another basic function of forensic software is the restoration of deleted data from a storage media. This is possible because deleted data and even formatted storage media still keeps