What is Computer Evidence?

Do You Have a Computer With Possible Evidence?

If you have a computer onsite which you believe holds data relevant to a critical matter, there are important steps you should follow to ensure the integrity of any possible evidence contained within. 

Step #1: Stop using the computer in question immediately.

Any use of this computer may irrevocably damage or taint any evidence. If the suspected computer is turned off, leave it off. If the computer is on, it is important that you do not go through a normal “shut down” process. Instead, call Computer Forensics of Boston at 1-800-868-8189 for immediate instructions on how to proceed safely. 

Step #2: Don’t allow internal IT staff to conduct a preliminary investigation.

At this point, all you have is information and data; there is no evidence. Unless your IT staff is certified in computer forensics and trained on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Secondly, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Lastly, the act of turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer. 

Even if extensive damage is done by the internal IT staff, a skilled computer forensics vendor may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. A good rule of thumb is to always use a certified external vendor for computer evidence collection. 

Step #3: Keep a detailed log of machine access.

You will also want to keep a detailed log of who had access to the machine in question, what was done to it, and where the computer has been stored since the dates in question. When the hard drive is removed and sent to Computer Forensics of Boston for a forensic examination, be sure to document the date and time in the system and note whether it differs from the current time. 

Step #4: Secure the computer.

Further use of this computer may damage any relevant evidence. If the suspected computer is turned off, it should remain off. Be sure to secure the computer at this point to prevent persons from unknowingly using it. 

Computer forensics may be an unknown and mysterious discipline to many, but it is relatively easy to avoid the most common procedural mistakes. Only use a certified computer forensics expert, and do not rely on the internal IT staff for computer forensics investigations. If there is even a small chance that evidence from a suspected computer system will be needed, have Computer Forensics of Boston perform a Quick Analysis to forensically collect and report on any potential evidence. 

When it comes to retrieving critical electronic data, time is of the essence. 

We encourage you to contact us today at 1-800-868-8189 or email us to discuss your needs in more detail. All information will be kept strictly confidential

Computer Forensics of Boston, proudly serving The greater Boston metropolitan area and worldwide.