Computer forensics is the custom of collecting, analysing and reporting on electronic data in a means that is legally admissible. It may be utilised in the prevention and detection of crime and in any dispute in which proof is stored digitally. Computer forensics has similar examination phases to other forensic disciplines and faces related difficulties.
About this manual
This manual discusses computer forensics in the neutral perspective. It isn’t connected to certain legislation or planned to promote a specific business or product which isn’t composed in prejudice of law enforcement or industrial computer forensics. It’s directed in a non-technical viewer and supplies a high-level perspective of computer forensics. This manual uses the word “computer”, but the concepts apply to any apparatus capable of storing electronic data. Where methods are mentioned they are supplied as examples only and don’t constitute advice or recommendations. Copying and publishing the entire or portion of the Guide is licensed only under the terms of the Creative Commons – Attribution Non-Commercial 3.0 permit
There are just a few regions of dispute or crime where computer forensics can’t be implemented. Law enforcement agencies are one of the oldest and heaviest consumers of computer forensics and have often been in the forefront of advancements within the specialty. Computers can comprise a ‘scene of a crime’, such as with hacking [ 1] or refusal of service attacks [two] or they could hold proof in the shape of emails, web history, files or other documents pertinent to offenses like murder, kidnap, fraud and drug trafficking. It isn’t simply the content of mails, files and other documents that might be of interest to researchers as well as the ‘meta-data’  related to these documents. A computer forensic evaluation may disclose every time a file first appeared on a computer, as it was edited, as it was last saved or published and which user completed these activities.
More recently, commercial businesses have employed computer forensics for their advantage in Many Different instances such as;
In situations where someone finds it necessary to get original data stored on a computer or storage network, that individual has to be able to do this and be in a position to provide evidence describing the importance and the consequences of their activities.
An audit trail or other record of all procedures applied to computer-based digital evidence ought to be created and maintained. An independent third-party ought to be in a position to analyze those procedures and achieve exactly the identical outcome.
In conclusion, no changes must be made to the first, nevertheless if access/changes are needed the examiner must be aware of what they’re doing and also to document their activities.
Rule 2 above can increase the question: In what scenario would modifications to a defendant’s computer by means of a computer forensic examiner be required? Traditionally, the computer forensic examiner could make a backup (or obtain) data from a system that’s switched off. A write-blocker will be used to create an specific bit for bit copy  of their initial storage medium. The examiner would do the job then from this particular copy, leaving the first demonstrably unchanged.
But at times it isn’t feasible or desired to change off a computer. It might be impossible to change off a computer if doing this would lead to substantial financial or other reduction for the proprietor. It might not be desired to change off a computer if doing this would indicate that potentially valuable evidence could be missing. In both these situations the computer forensic examiner would have to perform a ‘live acquisition’ that would entail running a little application on the suspect computer so as to replicate (or obtain) the information to the examiner’s hard disk.