Forensic Sciences

Forensic sciences cover almost the entire area; It is a science that is interested in helping justice to clarify forensic issues from medicine to science and social sciences.

Forensic Sciences cover many areas like Forensics, Forensic Medicine, Forensic Animation, Forensic Chemistry, Forensic Toxicology, Forensic Pharmaceuticals, Forensic Pedagogy, Forensic Sociology.

It, are the theories and methods for transferring, organizing, storing, retrieving, evaluating and distributing information.

There are three activities in the information system; input, process and output. For example, we can give wheat, mill and flour or bread as examples.

It, In the TDK glossary, ”informatics is defined as the” science of regular and reasonable processing of information, which is the basis of science and which is the basis of science, in the communication of human beings in technical, economic and social fields land.

In this context “information technology” is defined as “system of all tools and materials used in information technology”.

The information system (1) is the system established to collect, classify, summarize and present the information to the users.

Information system

Information systems are now used in nearly all sectors of life. These are; software, debit cards, mobile phones, money transfers through the internet, electronic signature, electronic state applications that have been transferred to the computer environment and put into service, electronic data and technological developments.

Information systems are used in the processing of cyber crimes as well as in the processing of all other types of crime. Many types of offenses such as insults, bribery, fraud, gambling, drug trafficking, obscenity can also be processed through information systems.

In parallel with the rapid development of technology, electronic devices such as computers, mobile phones, memory cards, CDs and DVDs, which have become an indispensable part of our lives, have also become tools for the processing of many crimes.

Crimes related to information are information crimes, research and investigation of cybercrime crimes are the topics of prevention of cyber crimes. It is possible to collect information about crime in three categories. These:

  • Forensic Medicine (Computer Forensic Medicine)
  • Computer Crimes
  • Computer Security


Forensic Informatics is a science field that detecting and investigating computer-related crimes and preparation as evidence in court.

Computer Crimes

Computer Crimes is an issue that deals with the classification of crime types. ICT Crimes can be examined in three (3) subcategories. These include: Computer Crimes, Internet Crimes, and Cyber Terrorism.

Computer Security

Computer security; It is a branch of science that determines and applies the measures that should be taken in order to prevent the processing of cyber crimes and to make the information systems safer.

Forensic Informatics

Forensic Informatics; It is a branch of science covering the collection, verification and reporting of digital data on computer storage media. In the light of this discipline, crime and criminals are fought, crimes committed, and innocent people who are not involved in crime are protected.

Forensic informatics studies cover the laboratory studies conducted within the time period until an electronic evidence in the court is presented to the court.

It is possible to clarify how each part of the ball of facts constitutes the subject of reasoning. These;

In the early days when forensic computing examinations were being carried out, the resulting files were usually simple files such as text files, worksheets, or images. The file types used today are encrypted, compressed or stenographic files.

In order to combat crime and the offender, to prove the crimes committed and to protect the innocent people who are not related to the crime, persons who are interested in the subject and who are interested in the subject, especially in the security units, the judiciary and the experts, should have sufficient knowledge about the structure of the computer media, properties of electronic proofs and forensic information studies.

Evidence could be everywhere. For example, one of the possible places where digital evidence can be found is the printers. Some types of memory are capable of storing documents. Even large network printers have hard drives that save pages to be printed. The printheads, toners, and cartridges may have physical markers on which printer a document is output.

The workflow of the forensic informatics discipline can be summarized as, find the evidence, collect, process, verify, interpret, authenticate, use,.

Forensic informatics covers Computer investigation, Network investigation, Data investigation, Database investigation, Mobile investigation, Sound investigation, Video investigation, Photo investigation, Operating System investigation.

Forensic IT subsections are Password Breaking, Data Recovery, Software Based Recovery, File Recovery, Folder Recovery, Format Recovery

Transmission can be listed as Data Disposal, Data Erase, Data Conversion, Data storage and data hiding.


  • Not Saving Volatile Information
  • Operation on the suspect’s computer
  • Inappropriate Closure
  • Irregular Labeling and Packaging (Duct Tape, Stapler)
  • Damage during transportation
  • Damage During Storage (Temperature, Humidity, Electrical Voltage)
  • Causing Data Loss on Mobile Phones and PDAs
  • Protection of electronic evidence
  • Examination of electronic evidence and preparation of reports
  • Access to any file, creation and determination of deadlines
  • Headers can be given in the form.
  • Identifying which files are downloaded from the Internet
  • Identifying the original modified file extension

Stages of Forensic Informatics

Detection of Event

The framework of the incident after learning the criminal activity; it will ensure that the intervention of forensic IT experts is more efficient and effective. The intervention in cyber crime actually begins at the time the crime was first identified.

Forensic information personnel should identify all information that might give an idea about the crime committed. Drawing of the event in terms of forensic informatics will guide the course of action.

Preparations to be made before going to the scene

With the detection of the event, the content of the preparations to be made before going to the scene is shaped. During the preparation phase, a team leader is determined who will determine the task descriptions of the first responders and the style of intervention on the scene.

The team leader evaluates the different situations and experiences of the team members in the best way possible for the crime scene, suspicious and electronic evidence.

Preparations to be made before going to the scene

At this point, it is necessary to create an intervention plan. The information about creating the plan can be listed as follows:

  1. Information about IT, communication and network systems
  2. Estimated data size to be copied
  3. Possibility of system backups in storage units
  4. Detection of computer system and / or network responsible people
  5. Type and number of devices expected to be encountered

The tools to be taken to the scene are generally electronic evidence collection, preservation, documentation tools.

Equipment should be prepared before going to the scene; These

Tools for removing computer cases and other devices,

Camera, camera, evidence numbering labels, sketch templates, electronic evidence forms, distance measurement tools, colored highlighter pens, electrostatic discharge equipment to protect the integrity of electronic and physical evidence, disposable latex gloves.

As forensic computing devices to be used to obtain electronic evidence properly, hard drives, hardware write protection devices, laptops, cross-over cables can be mentioned.

For safe handling of electronic proofs, shockproof, antistatic and antimagnetic bags, evidence bags, radio-protected bags should be provided.

Power supplies, converters and connectors, electrical multiplexers / extension devices, network cables should be available to help collect electronic evidence at the scene.

The main purpose of the First Response to Incident is the protection of the scene, as in classical crimes. The electronic crime scene is a elektronik virtual, environment of hardware and software that contains electronic evidence associated with an offense.

It should be remembered that due to the virtual environment, it is possible to easily change, erase or destroy the evidence that can be found on the computer and other electronic devices.

First Response to Incident

In addition to taking these warnings into consideration, the team that first responds to the scene should take into account both the incident and the information they learned about the suspects during the detection phase of the incident.

The team leader must ensure the safety of all people at the scene and the integrity of all physical and electronic evidence.

To ensure the safety of the crime scene are the following;

  • Determination of all entrances and exits of the crime scene,
  • Rapid removal of the suspects at the scene from the evidence base,
  • Taking out strips that determine the boundaries of the scene,
  • Securing all electronic devices,
  • Refusal of requests for technical assistance from non-authorized persons
  • Prevent access by unauthorized personnel to electronic devices,
  • No electronic equipment is dispensed with,
  • No computer or electronic devices are turned off,
  • Never turn off the computer or electronic devices that are switched on,
  • Failure to change the location and status of any electronic device,
  • No computer or electronic devices are turned off,
  • Never turn off the computer or electronic devices that are switched on

It may be useful to obtain information from the suspects during the initial intervention at the scene. In this context, it is possible to get information about the adult suspects at the scene, to the extent that the law allows:

  • Who owns and operates electronic devices,
  • No electronic device displacement allowed.
  • User information for computers and the Internet (social network accounts, etc.)
  • Use of electronic devices,
  • Passwords for software, account, or data access
  • Automatic applications in use,
  • Internet access type,
  • Information about data storage units other than the crime scene,
  • Internet service provider information,
  • Restrictions on access to data at the scene;
  • Exterminator, malfunctioning hardware and software information.

For the detection of electronic evidence, it is necessary to know and understand what kind of electronic devices can contain electronic evidence. The increasing use of digital technology for both professional and individual purposes has led to the proliferation and diversification of data sources.

Devices with electronic evidence

  • Computer Systems
  • Handheld devices
  • Data Storage Units
  • Network Devices
  • Recording Devices
  • Other Devices

In order to document the crime scene, the scene must be photographed and recorded at different angles in the first place. The procedure for documenting electronic evidence detected after the search is as follows.

  • Numbering of electronic proofs separately with evidence labels,
  • Sketch the location of the evidence at the scene,
  • Photographing the scene at different angles,
  • Placing the scene on the camera,
  • Electronic proofs are photographed from different angles so that serial numbers and service label numbers can be read,
  • Labeling unused connection ports as not used
  • Receiving notes expressing the position and status of electronic evidence,
  • Regulation of electronic evidence forms,
  • Photographing of working computers’ screens, taking note of running programs

For each of the electronic evidences, it is necessary to prepare separate forms of evidence. This is a document that reflects the identity of electronic evidence. Electronic evidence forms include the number of the evidence, the name of the owner, the location on the scene, the cable connections, the brand / model and serial number, as well as the notes describing the evidence, as well as the event number and the investigator information.

It is not enough to know the location and status of electronic evidence, it is necessary to have accurate records indicating that the evidence is circulated during the investigation and who has access to the evidence. For this reason, the iri Evidence Protection and Supervision Chain için procedure should be applied for each electronic evidence.

The CoC  (Chain of Custody) is a road map that shows how it is collected, analyzed and protected in order to submit evidence to the court. Since the process of documenting electronic evidence is an ongoing process during the crime scene investigation phase, information such as the time and method of obtaining evidence in these records will be added at the stage of collecting evidence.

Therefore, these records are a resource that can be applied and updated throughout all stages of judicial information. It covers a period from the environmental safety to the submission of the Court to the Court on arrival. These are evidence acquisition, conservation, investigation, analysis, reporting and submission to the Court.

There is a need for a number of common processes to investigate and verify electronic evidence in accordance with specific methods and stages. Eoghan Casey modin (2004) observed the 12-digit Electronic Evidence Research Process Model:

These are;

Accusation and Case Alarm, Value Assessment, Incident / Crime Location Protocols, Identification and Collection, Protection, Recovery Decomposition, Reduction, Organization and Research, Analysis, Reporting, Persuasion and Testimony

Accusation and Event Alarm:

Each process has a starting point. In the electronic evidence research process model, the starting point, the alarm from the intrusion detection system, the presence of suspicious records can be one of the warnings from the various security systems in the network. When judged from a legal point of view, research can be initiated upon the notification of a person.

Value Assessment:

In the evaluation of value, the importance of the problem in general is tried to be determined. Even the slightest notice about cyber crimes cannot be ignored. All notices must be evaluated.

Incident / Crime Protocols:

The main aim of this stage is to register the relevant objects in the scene, to photograph the potential elements in the crime, to identify potential elements and to provide guidance to the researchers on the situation of the crime place by drawing various diagrams.

Identification and Aggregation:

For experienced and experienced researchers, the aim at this stage is to make logical decisions about what is not collected and what to collect, to create a document and to carry out the action thereafter.


The evidence taken at the scene of the incident is preserved until the court.


Protected Electronic evidence before starting a full analysis, deleted, hidden, modified or existing operating system or file system can not be displayed with the data must be revealed. This is called data recovery.


This is the stage where the detailed review begins. It is to gather the data according to certain characteristics to facilitate further research. The hypotheses put forward by the research team are validated or refuted.


Among the data collected, it is aimed to focus on the ones that are directly related to the subject and to reduce it by eliminating the unrelated ones.

Organization and Research:

To identify and identify the data in the analysis phase, to provide a meaningful reference to this data during the testimony.


A detailed examination of the data obtained in the previous stages.


The details of all the methods and procedures used in other stages will be given in the final reports to be prepared.

Persuasion and Testimony:

In some cases, decision-makers may require that the findings in the report be submitted and that questions are answered before reaching an event. So it needs to be prepared in a good way.