|
|
||||||
IT FORENSICS 4 - EVIDENCE FROM COMPUTERS & LAPTOPS |
| HOME | Comp Forensics 2 | PC's & Laptops | Comp Evidence 1 | Comp Evidence 2 | Fingerprinting | Contacts | | Corporate Client | Private Client | Legal Client |
|
 |
Preserving Evidence is the first priority, therefore there are steps to be taken which may prove vital later on. Something not to be forgotten is that those first on a scene should take steps to ensure the safety of all persons and of course to ensure the integrity of evidence. All activities should adhere to your company's organisational policy and the law. Ideally, of course, a locus will be left alone until qualified personnel are available. If you can, visually identify potential evidence whether physical or electronic and evaluate whether any is fragile. |
 |
Try not to touch! If at all possible don't move anything; leave equipment on that is switched on and equipment off that is switched off. It is a good idea to take some digital photographs of where equipment lies which can match the photographs we take, demonstrating that equipment has not been altered in any way - possibly important in an evidential process later on. Disconnect telephone lines, but from the wall rather than the machine |
 |
Fingerprints may be on peripherals such as the computer mouse or CD's. We have an in-house fingerprinting department that works in conjunction with IT forensics. A scene examination may be appropriate, for example in demonstrating that a particular person has used the machine through lifting of prints from a mouse on-scene. Chemicals used in the processing of prints may damage equipment or date therefore the manner in which equipment is handled is important |
 |
Documentation and Chronology - Maintaining a chain of evidence and documenting activity is an ongoing process starting with recording the location and condition of all units, whether subsequently forensically examined or not. Simple issues may have relevance - such as a mouse being on the left hand side rather than right, indicating a left handed user. The condition of the CPU, disturbance of dust and whether it is on or off, or on and warm, are all recorded. We will take locus photographs of the front of the machine, screen, environment and other processes |
 |
Other evidence - Any other potentially relevant evidence should be collected and documented, e.g. written desk notes, pads which may be indented etc. A coffee mug, for example, may carry the same fingerprints as a mouse or CD |
