Computer Investigations Computer Forensics Expert
Call for free initial advice - 01869 325667 
Home
Services
Products
Resources
Case Studies
About Us

Do's and Don't

Steps to take and things to consider if you think a computer may have been misused or involved directly or indirectly in a crime.

Don't Panic


If possible sit back and make a plan of action, it is rare that steps need to be taken immediately. A thorough and properly implemented plan will serve you well in the long term.

Don't do anything to arouse suspicion and don't tell anyone who does not need to know

Don't confront the suspect or do anything to arouse his or her suspicion. Consider carefully who needs to be told, crime is most often perpetrated by trusted individuals in positions of authority.

Identify the evidence


Establish what media is likely to contain data, think about:


  • The suspects desktop or laptop computer

  • The secretaries or colleagues computers

  • Mobile Telephones

  • Electronic organisers or Personal Digital Assistant (PDA)

  • The company server especially the e-mail server
  • Backup tapes (local and server)

  • Telephone call logs and voice mail

  • Fax logs

  • Floppy disks, CD's, removable hard disks, Compact Flash cards, Memory Sticks, Cameras

  • USB storage devices

  • Home computers

  • Consider third party computers, do you need a court order to preserve evidence on a computer located elsewhere.



Secure and protect the integrity of the evidence


It is imperative that a forensic copy of the computers and associated media is secured at the earliest opportunity. If the investigation is to be overt and arousing suspicion is not an obstacle then consider the following:


  • If the computer is switched off: leave it switched off - simply powering a computer on can cause irreparable damage to data and deleted data

  • If the computer is a PDA then connect it to the mains - some computers of this type will lose data if the batteries are allowed to discharge

  • If the computer is currently switched on, then give thought to leaving it on - depending on the type of case evidence may be in unsaved documents or in memory

  • Disconnect the computer from the network and any phone lines - modern computers, if suitably configured, can be powered up by telephone or across a network
  • Does the employee or his/her colleagues have remote access to the system - many a time an employee has been suspended only to find that they have accessed their computer or a server remotely after the event
  • If it is considered 'safe' to involve the IT manager think about changing passwords
  • If possible secure the evidence under lock and key until it can be dealt with properly, 'chain of evidence' is an important concept, a court will want to know 'who did' and 'who could' have had access to the evidence



Don't be tempted to investigate yourself


Many well meaning IT departments have fallen into this trap and have contaminated or destroyed evidence. Unless you know exactly what is required, have the correct tools to do the job and understand the legal requirements of computer based evidence then don't be tempted. Failure to secure evidence in line with current accepted standards could rule the evidence inadmissible in court.

Always suspect the worst

Computer Forensic Examination
   
 

© 2008 Sanderson Forensics Ltd - Computer Forensics Investigations