Corporate Investigator Answers Investigation

Computer Investigation (4)
Preserving Evidence

IT FORENSICS 4 - EVIDENCE FROM COMPUTERS & LAPTOPS

Preserving Evidence is the first priority, therefore there are steps to be taken which may prove vital later on

Something not to be forgotten is that those first on a scene should take steps to ensure the safety of all persons and of course to ensure the integrity of evidence. All activities should adhere to your company's organisational policy and the law. Ideally, of course, a locus will be left alone until qualified personnel are available. If you can, visually identify potential evidence whether physical or electronic and evaluate whether any is fragile

Try not to touch! If at all possible don't move anything; leave equipment on that is switched on and equipment off that is switched off. It is a good idea to take some digital photographs of where equipment lies which can match the photographs we take, demonstrating that equipment has not been altered in any way - possibly important in an evidential process later on. Disconnect telephone lines, but from the wall rather than the machine

Fingerprints may be on peripherals such as the computer mouse or CD's. We have an in-house fingerprinting department that works in conjunction with IT forensics. A scene examination may be appropriate, for example in demonstrating that a particular person has used the machine through lifting of prints from a mouse on-scene. Chemicals used in the processing of prints may damage equipment or date therefore the manner in which equipment is handled is important

Documentation and Chronology - Maintaining a chain of evidence and documenting activity is an ongoing process starting with recording the location and condition of all units, whether subsequently forensically examined or not. Simple issues may have relevance - such as a mouse being on the left hand side rather than right, indicating a left handed user. The condition of the CPU, disturbance of dust and whether it is on or off, or on and warm, are all recorded. We will take locus photographs of the front of the machine, screen, environment and other processes

Other evidence - Any other potentially relevant evidence should be collected and documented, e.g. written desk notes, pads which may be indented etc. A coffee mug, for example, may carry the same fingerprints as a mouse or CD

If in doubt - don't touch ! Never attempt to recover data or explore data from a computer without the necessary skills - this may affect the integrity of a chain of evidence to your later cost. When working with units our first move will be to clone the unit and conduct our work from the clone without booting the machine. By all means, however, take evidential photographs

Computer forensics is a generic name describing forensic analysis and reporting of computer or IT media. As well as the hard drive(s) this may include USB drives, MP3/4's, external drives etc. While most cases involve Windows Operating Systems we can also apply the same principles to Mac OS and Linux. Never make the error of believing that when you hit the delete key the information is gone - there is a high possibility deleted data may be recovered in it's entirety

We apply Computer forensics in investigation for many reasons including:

  • Misuse of company information by employee or ex-employee
  • Internal theft or fraud
  • Analysis of email and deleted files
  • Pornography and/or illegal downloads
  • Data Recovery
  • Paedophilia
  • Substance Abuse / dealing
  • Internet Misuse
  • Theft of Intellectual Property (e.g. databases)
  • Private Investigator
    Alphabetical Site Index

    "searching the world for answers"

    Copyright © F.L.I.P. Ltd 1995-2016 ·

    Site Map