Talk:Computer forensics

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

Probably shouldn't be merged[edit]

Computer forensics is an emerging discipline, but there are colleges that offer computer forensics alone as a major. Therefore, as a unique field of study, I believe that it is worth a whole wikipedia article

68.20.26.58 04:14, 28 August 2007 (UTC)[reply]


Plagurism alert[edit]

[1]

So, who's ripped off who here? The copyright date suggests he's ripped off us.


Chassis to Case[edit]

Would anyone care if chassis is changed to case or maybe terminal? I can't say I've ever heard a computer case called a chassis.

worldtravller

I wouldn't call it a terminal - too ambiguous. If chassis is not acceptable, then case would be ok imo, but what's wrong with chassis - it's perfectly clear.

Try BaseUnit or data store 82.33.11.157 20:53, 11 June 2006 (UTC)jago25_98[reply]

Not that it matters much since the current iteration of this article is in question, however, I think using "chassis" is perfectly fine. Thomas Matthews 05:48, 16 August 2006 (UTC)[reply]

To my mind a Chassis is what a machine is built on and hold a stucture together, like the chassis of a vehicle and a case is what covers the machine. So to me there is a slight difference. Ron Barker Ron Barker 10:28, 27 May 2007 (UTC)[reply]

Routing and serving hardware of the 'blade' variety have the blades in a chassis. To me the connotations are a bit more structural than the usual 'personal' computer case, so I understand the objection. Style or taste question? 85.178.102.243 00:18, 19 September 2007 (UTC)[reply]

Informative article or guide?[edit]

This entry reads more like a how-to guide for the aspiring forensic analyst then an explanatory article about the subject. There's no background, history, examples of where such issues have arisen and been applied, etc.

That was exactly my thought- this is not an encylopedia article. It is also very PC centric, with no mention of Mac, Linux, servers or printers. The forensics sections of Laser printer and Computer printer should be moved here, expanded and compared to the section in Typewriter. Scanners should also be mentioned. --Gadget850 19:22, 19 October 2005 (UTC)[reply]
Agreed. This needs editing by someone who knows the subject in a way that keeps the content, which is great, but adjusts the tone to make it more encyclopedic. Are the original editors still hanging around the article I wonder? Coyote-37 14:31, 21 October 2005 (UTC)[reply]

It's not encyclopedia material at all, it should be moved to wikibooks. A wikibook howto on computer forensics would be perfect for this material. Night Gyr 09:51, 5 November 2005 (UTC)[reply]

I concurr --Gadget850 11:19, 5 November 2005 (UTC)[reply]
It definately needs work on stuffy wording and removing on gratuitous vendor references. EG. the vendor mention next to the first occurence of crypto filesystems is completely gratuitous. I would favour extracting a vendor-free overview with 'function' items and moving platform specific addressing of the items to their own sections. Also, it can probably be edited down to half the volume for the same content. 85.178.102.243 00:26, 19 September 2007 (UTC)[reply]

Prevention[edit]

How about information about how to make it as difficult as possible for someone to recover such information. 

   I would recommend creating a seperate article under the title Anti-Forensics, and providing a link.


It would be more applicable for the article to be forensic formatting or data recovery prevention as these are a more technical description. Anti-Forensics sounds a bit made up. —Preceding unsigned comment added by 172.189.101.180 (talk) 17:26, 14 November 2007 (UTC)[reply]

Sup, how’s it going? Vonnegut Lynch (talk) 14:48, 22 April 2019 (UTC)[reply]

External links[edit]

Many seem to confuse WP with a web directory. I checked the external links section, and here's my opinion. These are commercial link and pretty useless in this context (some disguise that fact better than others).

  • www.sectorforensics.co.uk Computer Forensics Investigators
  • www.forensicexams.org is a portal for computer forensic examiners to share information and ideas.
  • www.infosecinstitute.com/courses/computer_forensics_training.html InfoSec Institute Computer Forensics Training Hands on training and certification
  • df.intelysis.com Intelysis Corp. Canada's Leading Digital Forensics Firm
  • www.tkmtechnologies.com TKM Technologies Computer forensics company with news and articles
  • www.data-recovery-reviews.com/computer-forensics-training.htm Computer forensics training What is computer forensics?
  • www.ibasuk.com Ibas UK Computer Forensics Computer forensics company
  • www.securestandard.com/Incident_Handling/Forensics SecureStandard Directory of forensics whitepapers.
  • www.ecodatarecovery.com/forensic.html Forensic Investigation: Who needs forensics?
  • www.forensical.com Computer Forensics Investigations
  • www.securityuniversity.net/classes_anti-hacking_forensics.php Anti-Hacking for Computer Forensics
  • www.krollontrack.com/ Kroll Ontrack (Computer Forensics company)
  • www.t3i.com/services/Information-Forensics/infoforensics.asp T3i (Computer Forensics company)
  • www.silverseal.net/computerForensics.htm SilverSEAL Corporation Computer Forensics Investigations

Here's a bunch that could be useful if the sites were not way too small:

  • www.forensicfocus.com Forensic Focus Computer forensics news, information and community
  • www.computerforensicsworld.com Computer Forensics World Community of computer forensic professionals
  • computer-forensics.safemode.org Computer Forensics Wiki

These could be sort of useful, but neither looks like a must-have:

  • www.bleepingcomputer.com/forums/tutorial24.html Windows Forensics: Have I been Hacked?
  • www.forensics.nl Forensics.nl Forensics Research, Tools and Presentations

So I basically nuked the complete external links section and renamed "Other Sources of Reading" to "External links". Algae 17:18, 20 December 2005 (UTC)[reply]

  • www.forensicswiki.org
  • www.computerlegalexperts.com (Computer Forensics / Computer Expert Witness Services) - Personal note: Computerlegalexperts.com does perform Pro Bono work for the community.

Unreferenced[edit]

I've slapped an unreferenced tag in the article because it reads like a DIY manual, and there is only one reference - to an article about breaking hash functions. Please cite your sources. Thanks. -- zzuuzz (talk) 23:01, 4 April 2006 (UTC)[reply]

This is one of the most dreadful articles I have ever read on Wikipedia. Is is factually incorrect and misleading.

It would be useful if you could briefly explain which parts are inaccurate/misleading, so that they :can be properly checked and removed if neccessary.
66.227.95.240 18:52, 8 November 2006 (UTC)[reply]
I'm an expert in this area and will consider cleaning this up.Simsong (talk) 04:36, 6 July 2008 (UTC)[reply]

Software[edit]

Moved to discussion. There are COUNTLESS software products for CF. Every vendor that pops along is now adding their product in here. It is getting way out of hand, and wiki is NOT a directory of software.

I have therefore shifted the current ruck of product to this page. If we left it, it would get longer and longer and longer, and eventually consume the article, becoming a random directory of questionable commercial tools.

Shutdown directions[edit]

The table recommending different shutdown procedures seems to be made up, there's no references or any of the like. Naturally there are reasons for and against pulling the plug vs. shutting down, but none of them are introduced. However, listening to all the best practices I have heard (ie. forensics experts live or in web discussions, police instructions) there really is no reason to not pull the plug with any modern file system. This seems like a hobby project of someone. Nice at that, but not too expertly informed and definetly not encyclopedic. --Tmh 16:45, 10 January 2007 (UTC)[reply]

Agreed, the table really stands out as a poor data set in this article. Many of the references in the section are no longer considered accurate or desirable (such as changing data on hard drives should be avoided at all costs). I have committed a major change to that section to attempt to remove most of the "how to" steps and just cover the general facts in an encyclopedic form. Rurik 15:34, 11 January 2007 (UTC)[reply]

Article[edit]

Article makes no mention of;

  • MRU lists.
  • Search with a text string.

Some software maybe can export evidence reports to HTML or PDF. Some software maybe can have "skin color" detection, to detect humans in image files on the disks.

No mention of CBIR (Content Based Image Retrieval)

Merge[edit]

I just wanted to comment on this idea, as mooted today. I think it is a particularly bad one. The tool list is taking no harm away on its own. Bring in here and the problem of link spamming will multiply. We are fairly clean at present.

If people want to see a chunk of links to software, they can simply hop to that page. Why bring it in here, which is primarily an information page? It makes no sense from a practical viewpoint, as far as I can see.


That is an option but they are two different topics and it would be practicl but silly beacuse they are seperate subject and need seperate pages.

Anyknow actually know the subject?[edit]

Is anyone who actually work with computer forensics involved in this article? I reads a lot like someone just guessing. Also a complete lack of references. --Apoc2400 04:58, 19 March 2007 (UTC)[reply]


Yes. I work in computer forensics, and I was responsible for this comment: "This is one of the most dreadful articles I have ever read on Wikipedia. Is is factually incorrect and misleading.". I'm glad that other people appear to agree with me.

After over a year since I did some clean up, I'm going to try and clean this up even more. I removed all of the e-mail sections just now, as they do not fit into the overall focus of computer forensics. There are many areas like email that are, or were, explained in too much depth and should be trimmed heavily back. --edit-- just realized I misspelled the edit a bit, s/now/not Rurik (talk) 15:53, 29 March 2008 (UTC)[reply]
I know a little, (from an amateur interest in file systems and hardware), enough to sift out some chaff today. Still needs work though, much redundancy remains. On focus: the topic is fairly general, (I see it as related to reverse engineering and honorable hacking, of interest and use to most computer experts), but the current article seems biased in favor of its admittedly important law enforcement applications, as though it were an advocacy tract for an emerging professional subclass. It's better we describe what's out there, not professional ideals, hopes, or what "should be". --AC (talk) 06:53, 1 May 2008 (UTC)[reply]
I have a PhD in this area. We also run a wiki devoted to this subject (http://www.forensicswiki.org/). My feeling is that this entry should be edited down and much of the content moved there. Simsong (talk) 04:37, 6 July 2008 (UTC)[reply]
PLEASE DELETE: "To recover data in the event of a hardware or software failure.

To gather evidence against an employee that an organization wishes to terminate. To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering." Computer Forensics seeks to explain the state of a digital device, not all the nonsense that someone wrote. —Preceding unsigned comment added by 190.245.147.228 (talk) 22:24, 12 March 2010 (UTC)[reply]

Overwriting deleted files on a hard drive[edit]

I have seen a lot of forensic science shows in which investigators were able to recover deleted data from hard drives. Wouldn't a countermeasure be to write a small program to continue appending to a file until all free disk were used up? A two- or three- line batch file could easily accomplish this with the copy command. What do you think? 71.63.88.166 02:01, 29 October 2007 (UTC)[reply]

There are many such programs. For real-time action on *nix systems, one could link 'rm' to srm, albeit at the cost of some system speed.--AC (talk) 08:53, 7 June 2008 (UTC)[reply]

To prevent recovery its best to overwrite every single bit of hard drive at least 8 times, which still doesn't completely guarantee safety. In military cases this is usually done in the 1000's. This can be applied to single files as well but depending on the file system backups can still exist. —Preceding unsigned comment added by 172.189.101.180 (talk) 17:30, 14 November 2007 (UTC)[reply]

That might be the computer forensics equivalent of the Y2K scare. There's little evidence that multiple overwrites are necessary for deletion, or that reading overwritten data is feasible. Daniel Feenberg's Can Intelligence Agencies Read Overwritten Data? A response to Gutmann. provides a skeptical overview. --AC (talk) 08:53, 7 June 2008 (UTC)[reply]
A bigger problem is the spare sectors on the hard drives. They are handled automagically by the disks, when a data sector can not be rewritten without ECC errors. So even if every - visible - sector is overwritten, there may be untouched spare sectors remaining with original data. --Zyxxel (talk) 20:27, 29 June 2008 (UTC)[reply]
There are two kinds of spare sectors: those that have been used, and those that haven't. "Untouched spare sectors" would be the second kind, and therefore contain no user data, while spares in use would be overwritten. Therefore spare sectors would not be a problem.
Perhaps you meant sectors that went bad and were replaced by spares. Bad sectors would tend to be hard to read, if they're not already unreadable. If it were possible to restore or copy them, (with something like spinrite let's say), they'd be somewhat randomly distributed and it's unclear whether there'd be enough of them to be useful, though in theory any sector might hold some crucial password. On the other hand, if something like 'spinrite' could read and restore those, it follows that a similar method could overwrite them as well; perhaps some util already does that? --AC (talk) 07:10, 4 July 2008 (UTC)[reply]
I was specifically thinking about the damaged sectors that have had their information duplicated to one of the spare sectors, leaving data of unknown quality in the remapped sectors. When the OS performs remapping (most file systems supports this) it's easy to try to write to this sector using normal software. But when the disk itself performs this remapping, it may require potentially undocumented manufacturer commands to try to access the remapped sector data. So a wipe of all visible surface will not overwrite remapped sectors. They need not contain huge physical errors - just be damaged enough that the disk drive can't store the information with correct ECC information. So a sector with 512 byte of user data could have a single bit that can't be written as a zero or one - or the extra bytes storing the ECC could contain the damage. But that single sector could have been used to store a significant amount of a crypto key file. And a number of newer disks have started to use 4096 byte sectors allowing a single sector to contain even a high-strength crypto key stored in ASCII format. And a remapped sector that has a password only needs the bytes storing the password to be correct.
Next thing is that the sectors don't just store the data but also ECC, allowing mathematical operations on the data. And while a normal user only have access to whatever capabilities the HDD exports, a data recovery company can open the disk in a clean room in which case they are not limited by any sector remapping. And they can try to read the data with whatever misalign they like. So a remapped sector in the disk may be completely hidden from normal accessing and even unreadable by the disk hardware, while a normal wipe still leaves the remapped sectors with sensitive data remaining and accessible using intrusive data recovery methods. --Zyxxel (talk) 17:22, 7 March 2011 (UTC)[reply]

Even though this topic is old, I'd like to inject some reality on this subject. Overwriting data on modern magnetic hard disks even once, even with known data (all 0's) is impossible for a forensic investigator to gain any real meaningful data from the drive. You need to keep in mind theres three separate"areas" that need overwritten. Hard drives store data in sectors, which is subdivisions of the drives empty space in same size chunks. A file is divided by these chunk sizes and each chunk stored on the drive (anywhere it can find a free sector). Ideally it's all in order, but if it can't it puts it all over the place (thus fragmenting the drive). At the end of your file it is unlikely to come out evenly to fill the last sector, so part of that sector is not written and left the way it was. Since some data is stored in that sector the hard drive won't write anything else there, so if for example a deleted file of yours was stored previously in that sector that's not completely filled with the new file part of your old file is still readable on the disk. This is only useful to an investigator if the file you deleted was a text file, since virtually all binary files will be large enough that recovering part of a sector of it's data will still be nonsensical. And likely the text file parts they could recover from that partial sector will also be nonsensical. This is called "slack space." Theres also the "data" which is undeleted sectors of a file. Common delete functions on a hard disk only marks the references to the file's sectors (where on the disk all the file's parts are stored) as deleted. All the data and is still available to be recovered provided another write function hasn't overwritten those sectors. Then theres "empty space" which is all the sectors that are not currently used, these can contain old deleted files. So when you overwrite your data (wipe it) you need to use a program that will erase the "empty space" and "slack space" along with the files data.

It is in the best interest of forensic investigators to cause doubt and confusion about what they can and can't do. The more confused the "perp" is about how to get rid of evidence the more likely it is for them to make a mistake that the investigator can exploit. The only known method to recover overwritten data is by physically tearing apart the drive to recover the media platters then putting them in a special microscope called a Scanning transmission electron microscopy these devices are extremely expensive. To do this you need to KNOW what data was overwritten and examine the platter bit-by-bit to attempt to determine what the original data was before it was overwritten. This technique is only presented as a theoretical concept, no practical application of recovering any meaningful amount of data has been know to exist yet. So when someone tells you that they can recover data that's been overwritten they're misleading you or are ignorant about what is actually possible or what overwritten data actually is. Although I wouldn't put it past the NSA or other similar government agencies to do this/attempt this for things like state secrets and junk, but aside from nuclear secrets or something similar I doubt that much money and effort would be put into trying to recover overwritten data. Also this tecqnique requires you to KNOW what was overwritten, overwriting one pass of random data would be impossible to recover. Raeky (talk) 02:03, 19 January 2009 (UTC)[reply]

No, the disk do not leave the last part of a sector unwritten just because a file isn't large enough to fill all of the sector. The disk always writes complete sectors even if only a single bit needs to be changed. It has to, because it doesn't just write the data part of the sector. It is also writing the ECC that is stored with the sector and used to recover from smaller errors and detect larger data corruption errors in the sector. Once upon a time, file system drivers were lazy and only filled the initial part of RAM buffers with the file data and whatever was left in the buffer since earlier file accesses could be written after the last bytes of the file. Today, file system drivers normally always clears the last part of the RAM buffer before issuing a write - just as virtual memory managers clears RAM pages before giving them to a program that tries to allocate more memory - to make sure that the OS doesn't leak information between different users.
The reason why there are standards for secure wiping of data is that the disk heads are not perfectly aligned. They are controlled by a voice coil and tries to align as best as possible with the track. But being imperfect, they are all the time more or less beside the ideal track. That is one of the reasons why a modern disk have a slower seek speed when writing data - it spends more time to try to adjust the head perfectly before starting to write. When reading, it isn't fatal if it happens to slightly miss. Worst case, it can wait until the next rotation and do a new attempt having had ample time to improve the track alignment.
Because the data isn't perfectly placed, a rewrite may not overwrite the full width of the previous recording. And newer head technologies allows smaller and smaller heads to be used, which is significant if the disk is opened and the surface scanned using more recent head technologies.--Zyxxel (talk) 17:42, 7 March 2011 (UTC)[reply]
Are there any examples of a single complete sector recovered from a modern hard drive by looking at the edge of the tracks? All the studies I've seen, including those done by the Center for Magnetic Recording Research, have shows that the data on the edge of the tracks is mostly noise, and if any original data is present, it is highly distorted and unrecoverable. Looking at the edge of the track sounds alright in theory, but I've never seen anything that indicates it's possible on a hard drive made in the past 10 years Lylekone (talk) 06:12, 18 May 2011 (UTC)[reply]


Forensic examination is not limited to law enforcement[edit]

The big mistake in the current world is that the word "forensic" limits the topic to evidence preservation for law enforcement purposes! There are many examples in the digital world of forensic activities which do not relate to the matter of law enforcement.

Rather, forensic techniques are often used within the digital world to ensure that why a process failed (or succeeded) so that appropriate changes can be effected. Forensic techniques are also used for data recovery, a process that frequently (more often than not) has nothing to do with "evidence" preservation; rather it is data preservation.

Further, if one examines those sciences which use their knowledge to recover knowledge of the past you will find that their techniques are forensically correct; anthropology being a good example.

Let us first understand the basic term of forensics before we try to described its inner workings!

Bob (talk) 13:09, 7 June 2008 (UTC)[reply]

I completely agree and that's why stuff is being removed. Simsong (talk) 05:30, 10 July 2008 (UTC)[reply]
While I agree that many people use "forensic techniques" the definition of forensics is "science applied for a legal purpose." I mean, Data recovery professionals use a lot of the same programs/techniques, but it's not really "forensics." I may be splitting hairs here though. I agree that a major re-write is needed though. While the data recovery article needs help too...I think it can help make this one better. Wikiwikikid (talk) 21:14, 18 August 2008 (UTC)[reply]

This page should be renamed Digital Forensics[edit]

Currently the page Digital Forensics redirects to this page Computer Forensics. I think that it should go the reverse way. The research community really seems to be standardizing on the "Digital Forensics" term as being more inclusive.

What do others think?Simsong (talk) 19:57, 6 September 2008 (UTC)[reply]

Agreed. Digital forensics should be the title of this article, computer forensics is considered as outdated terminology in the industry. AMightyKnight (talk) 16:45, 28 December 2022 (UTC)[reply]
After further examination, this page should remain with the title Computer Forensics. There is already a page called Digital Forensics which acknowledges that the terminology is synonymous. The direct intent of this page is to cover forensics of computers only. AMightyKnight (talk) 17:22, 31 December 2022 (UTC)[reply]

I agree 100%. In fact the article mentions non-computer related digital equipment such as cell phones, digital cameras, black boxes, and so on.--DrRisk13 (talk) 13:59, 11 October 2008 (UTC)[reply]

Agree. When this was first written, 'Computer Forensics' was an appropriate term. Presently, the field is too diversified for that title. Rurik (talk) 15:25, 11 October 2008 (UTC)[reply]
I'm trying very hard, and utterly failing, to disagree with this opinion. --Aladdin Sane (talk) 13:46, 3 October 2009 (UTC)[reply]

Chandra Levy section problem?[edit]

Chandra Levy was a Washington, D.C. intern who disappeared on 30 April 2001. She had used the web and e-mail to make travel arrangements and communicate with her parents. Information found on her computer led police to search most of Rock Creek Park, where her body was eventually found one year later by a man walking his dog.

Either I'm being very stupid this morning, or this section, as written, proves the Levy case had absolutely nothing to do with digital forensics: The paragraph shows the body was found by happenstance; and the section should therefor be moved to such an (theoretical) article. --Aladdin Sane (talk) 13:45, 3 October 2009 (UTC)[reply]

Time for a major review[edit]

This article is a bit of a mess at the moment and the best I can tell from this discussion page and the history is that it's largely been neglected. The first thing that come immediately to mind is that the article should be renamed "Digital Forensics" since computer forensics is a sub-discipline of the wider digital forensics field. Eoghan Casey's most recent book would be a good guide for people who are interested in exploring this more, but a digital forensic article could easily be divided into subfields such as network forensics, computer forensics, mobile device forensics, eDiscovery, digital video forensics, etc.

The certification section was recently cleaned up and it looks much better now, but it can also be expanded to mention certifications such as the ISFCE CCE and some of the others.

There is a lot of good content in the present article, mind you, but it doesn't flow well and in some cases could use some expansion.

I like the idea of some practical application illustrations at the end of the article. The BTK case is a nice example, but that could be better written and sources need to be provided.

I'm new to wikipedia which is why I'm reluctant to really take an axe to things and step on people's toes, but I'd be happy to help out as time permits.

Ericjhuber (talk) 02:20, 2 August 2010 (UTC)[reply]

Agreed; I see that using Digital Forensics was discussed above but never implemented. I am trying to source and rewrite parts of this article when time permits.... but you are right, some sort of restructuring would rock. --Errant Tmorton166(Talk) 09:06, 2 August 2010 (UTC)[reply]
I'm on the Forensic 4cast podcast quite a bit these days and we recorded another episode yesterday afternoon. At the end of the podcast, I put out a call for help for people in the digital forensic community to get involved with the wikipedia project since a lot of people use Wikipedia a primary source of information. Making sure that the digital forensic content looks good is a nice way for people to get accurate information about what we do and makes our lives easier in combating things like the CSI effect. I'll also mention something the next time I do a blog post over on my blog. I'm still learning the ways of Wikipedia so I'll be more useful once I learn the system better. Ericjhuber (talk) 10:33, 2 August 2010 (UTC)[reply]
Cool beans :) (yes, I read your blog with interest). I have begun work on Digital forensics as the "umbrella topic" for this whole subject. My current thinking is we can split information about the uses and legal aspects of digital forensics from this article into Digital forensics and use that as an intro. Thereby leaving this article to delve into the computer-style forensics. --Errant Tmorton166(Talk) 10:55, 2 August 2010 (UTC)[reply]

I second that motion. I tried linking an important article from my web-page, which is EXTREMELY relevant and it was booted by the editor as being SPAM. The result is that the page is now "semi-protected." I tried contacting the editor, but there is no Point of Contact for the editor listed. Those interested in spoliation issues, should visit this page, What is Digital Spoliation? — Preceding unsigned comment added by 65.222.202.26 (talk) 15:43, 16 August 2011 (UTC)[reply]

Conflict of interest editing[edit]

Recent edits were made by a person who appears to have a conflict of interest. I will revert these changes shortly without prejudice for them being restored by an editor who does to have a real or apparent conflict of interest. I will also advertise this edit and revert to an appropriate WikiProject in the hopes that an expert can make a judgment on whether the recent edits should be kept or not. davidwr/(talk)/(contribs)/(e-mail) 19:02, 16 April 2013 (UTC)[reply]

Advertised on WT:WikiProject Computing. WikiProject Computer Security is a more logical choice but it's talk page was too quiet. davidwr/(talk)/(contribs)/(e-mail) 19:09, 16 April 2013 (UTC)[reply]
Disclaimer: I am no expert in computer forensics. The prose does not seem problematic; I can believe that there are different forensic methodologies depending on the kind of analysis and desired outcome and the clarification on certification seems uncontroversial. The Ruan reference is a published book and seems like a reliable source, but could use page numbers to narrow down the location of the source material. Perhaps the most problematic is the Adam reference. It is unclear if the thesis, or papers from it, have been published anywhere and it is unclear whether the thesis has even passed thesis committee and the PhD awarded. With no evidence of peer review, I don't think it can be counted as a reliable source for the purpose of adding material to this article. I leave it to others more knowledgeable in the field than I to determine what stays and what goes. --Mark viking (talk) 20:24, 16 April 2013 (UTC)[reply]

External links modified[edit]

Hello fellow Wikipedians,

I have just modified 2 external links on Computer forensics. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 21:09, 11 August 2017 (UTC)[reply]

Techniques[edit]

I am planning on adding information on mobile forensics and techniques that can be used if mobiles were involved. — Preceding unsigned comment added by Lakers248 (talkcontribs) 20:23, 16 February 2022 (UTC)[reply]

Documenting evidence of cyber forensics[edit]

B 106.77.0.17 (talk) 10:07, 8 May 2022 (UTC)[reply]

Reference for the cases cannot be verified[edit]

Hi. I was cleaning up some minor issues and found that the section on Bank NSP etc. has a link to a file that cannot be read. Are there other references to these cases? I cannot find any, and so will revise this section. FinisKoronatOpus (talk) 18:48, 17 March 2023 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Computer_forensics&oldid=1206766816"