As a Certified Forensic Computer Examiner (CFCE), I am always being asked by my clients what they need to be mindful of in cases involving computer forensic evidence. Here are my thoughts of some “Do’s and Don’ts” of cases involving digital evidence (or computer forensics).
Computer Forensics is a process of obtaining electronic evidence from a computer hard drive or digital media device utilizing the court accepted process of preserving electronic evidence. Computer Forensics is a highly technical field and one must be careful not to spoil the evidence before it has been collected.
- Do secure the evidence
Once you have identified a specific hardware involved in the investigation, it should be immediately secured from all accesses. - Do avoid making changes to the device
Do not make any changes to the device’s current state. If the device is powered on, leave it powered on and if the device is powered off, leave it off. Isolate the device from network connectivity. If the device is connected to a network via cable, unplug the cable. If the device is connected via WIFI (wireless), power down the WIFI. - Do keep element of surprise in your computer investigation
Regardless of the case, it is important to keep low profile when the investigation is active and do not reveal the target or goal of your investigation until necessary. - Do keep meticulous notes
Keep detailed notes of devices, people involved, allegations, dates, and times. - Do gather all devices that may contain data
For example USB, SD/media cards, CD ROMs, external drives, and cameras. Keep in mind that with the advancements in technology, media has become cheap, comes in smaller sizes with larger capacities. With larger capacities and small size, these devices can store a large amount of data and are easy to hide. - Do report to law enforcement
If you believe a crime has been committed, contact the law enforcement agency within your jurisdiction or based on case involved. - Do seek advice from a professional
Do have a computer forensics professional look at and handle the evidence. They have specialized hardware, software, and training to handle cases like that. Also, seek help from your organization’s legal department. - Don’t attempt to look at the data on the device
We as humans are inquisitive. Any attempt to look at data can potentially destroy the evidence. A crucial timestamp that would make or break a case can be over written while you browse and click. - Don’t use your IT department
Don’t use your IT department unless they are familiar with electronic evidence handling and legal admissibility standards like Chain of Custody and Daubert principle. Again, if proper forensic procedures are not followed, it can destroy the evidence. - Don’t delay
In any investigation, time can be of essence when electronic evidence is involved. The sooner you respond to the incident, the better the chance of preserving evidence. - Don’t destroy any data
Data destruction can be harmful to a computer investigation. Data deletion can be easily detected and can have civil and criminal ramifications. Do not delete data and prevent accidental or intentional deletion by limiting access to the target machine.
