• Home
• Divisions
  • Administrative Services
  • Communications
  • Criminal Identification
  • Driver License
  • Fire Marshal
  • Forensic Services
  • Highway Patrol
  • Highway Safety
  • Homeland Security
  • Investigations
  • POST
• Commissioners
• Media
• Contact
• Employees

Forensic Services

• Forensic Services Home
• What We Do
• Computer Forensic
• Crime Scene Investigation
• Courtroom Testimony
• Firearms & Tool Marks
• Forensic Analysis
• Forensic Biology
• Forensic Chemistry
• Impression Evidence
• Training
• Contact Forensic Services

Forensic Computer Lab

Incidents of computer crime and criminals using computers to facilitate their aberrant behavior are rising at a significant rate. Computer Forensics deals with the preservation, identification, extraction and documentation of computer evidence. In essence, computer forensics is the "autopsy" of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact. Often this involves recovering Information the naked eye can no longer see.

A Computer Forensic Example

As an example, criminal investigators need to recoverover 1000 E-Mails off of a computer hard drive a year and half after the suspect left the company, after the hard drive had been formatted and the machine was in use by another user for that year and a half. Now is the time for the Computer Forensics Expert to go to work.

Part of the process they would use would be to:

1. Secure the computer as evidence

• Photograph and log room, position of computer and status of computer.
• If the computer is "OFF" Do Not Turn "ON".
• If the computer is "ON",Do Not Turn "OFF".
• Place Evidence tape over each drive slot
• Photograph and label back of computer components while they are plugged in.
• Label all connection ends to allow reassembly if needed
• If transporting, treat all components as fragile
• Collect all devices such as cables, keyboards and monitors
• Collect instruction manuals, documentation, and notes
• User notes may contain passwords

2. "Dissecting" the computer – analysis areas include

• eMail
• Temp Files
• Recycle Bin
• Info File Fragments
• Recent Link Files
• Spool (printed) files
• Internet History (index.dat)
• Registry
• Unallocated Space-free space on the hard drive
• File Slack-free space between the end of the logical file and the end of physical file (cluster) RAM Slack-free space between the end of the logical file and the end of the containing sector
• Sector-the smallest group that can be accessed on the disk. A group of disk sectors as assigned by the operating system are known as clusters.

The ultimate goal is producing forensics work that is admissible in court.