How Computer Forensics Works - Standards of Evidence

If the investigators believe the computer system is only acting as a storage device, they usually aren't allowed to seize the hardware itself. This limits any evidence investigation to the field. On the other hand, if the investigators believe the hardware itself is evidence, they can seize the hardware and bring it to another location. For example, if the computer is stolen property, then the investigators could seize the hardware.

In order to use evidence from a computer system in court, the prosecution must authenticate the evidence. That is, the prosecution must be able to prove that the information presented as evidence came from the suspect's computer and that it remains unaltered.

Although it's generally acknowledged that tampering with computer data is both possible and relatively simple to do, the courts so far haven't discounted computer evidence completely. Rather, the courts require proof or evidence of tampering before dismissing computer evidence.

Another consideration the courts take into account with computer evidence is hearsay. Hearsay is a term referring to statements made outside of a court of law. In most cases, courts can't allow hearsay as evidence. The courts have determined that information on a computer does not constitute hearsay in most cases, and is therefore admissible.

If the computer records include human-generated statements like e-mail messages, the court must determine if the statements can be considered trustworthy before allowing them as evidence. Courts determine this on a case-by-case basis.

DLA is based in Cape Town and combines the experience of two seasoned investigators with both criminal and civil backgrounds with the latest technologies to follow the electronic trail and find the digital evidence you need!

How Computer Forensics Works - Phases of a Computer Forensics Investigation

The experts at DLA listed the following steps every digital forensic investigators should follow to retrieve digital evidence:

1. Secure the computer system to ensure that the equipment and data are safe. This means the detectives must make sure that no unauthorized individual can access the computers or storage devices involved in the search. If the computer system connects to the Internet, detectives must sever the connection.

2. Find every file on the computer system, including files that are encrypted, protected by passwords, hidden or deleted, but not yet overwritten. Investigators should make a copy of all the files on the system. This includes files on the computer's hard drive or in other storage devices. Since accessing a file can alter it, it's important that investigators only work from copies of files while searching for evidence. The original system should remain preserved and intact.

3. Recover as much deleted information as possible using applications that can detect and retrieve deleted data.

4. Reveal the contents of all hidden files with programs designed to detect the presence of hidden data.

5. Decrypt and access protected files.

6. Analyse special areas of the computer's disks, including parts that are normally inaccessible. (In computer terms, unused space on a computer's drive is called unallocated space. That space could contain files or parts of files that are relevant to the case.)

7. Document every step of the procedure. It's important for detectives to provide proof that their investigations preserved all the information on the computer system without changing or damaging it. Years can pass between an investigation and a trial, and without proper documentation, evidence may not be admissible.

8. Be prepared to testify in court as an expert witness in computer forensics. Even when an investigation is complete, the detectives' job may not be done.

All of these steps are important, but the first step is critical. If investigators can't prove that they secured the computer system, the evidence they find may not be admissible. It's also a big job. In the early days of computing, the system might have included a PC and a few floppy disks. Today, it could include multiple computers, disks, thumb drives, external drives, peripherals and Web servers.

Computer Forensics Basics – How it works

The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence. Many of the techniques detectives use in crime scene investigations have digital counterparts, but there are also some unique aspects to computer investigations.

For example, just opening a computer file changes the file -- the computer records the time and date it was accessed on the file itself. If detectives seize a computer and then start opening files, there's no way to tell for sure that they didn't change anything. Lawyers can contest the validity of the evidence when the case goes to court.

Some people say that using digital information as evidence is a bad idea. If it's easy to change computer data, how can it be used as reliable evidence? Many countries allow computer evidence in trials, but that could change if digital evidence proves untrustworthy in future cases.

Computers are getting more powerful, so the field of computer forensics must constantly evolve. In the early days of computers, it was possible for a single detective to sort through files because storage capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data, that's a daunting task. Detectives must discover new ways to search for evidence without dedicating too many resources to the process.

What are the basics of computer forensics? What can investigators look for, and where do they look? Find out when the digital forensic experts from DLA discuss the steps in collecting evidence from a computer?

Four ways to protect your PC data

A modern PC leads a kind of dual life. On the one hand, it serves as an entertainment centre, offering access to games, online videos, and the entire Internet. On the other hand, it acts as a tool for collecting, creating, and storing important information of all kinds.

If your computer is lost, broken, or stolen, switching to a new one has little effect on the entertainment side. But unless you've properly protected the personal data on that system, a theft or loss could become a data disaster.

The digital forensic experts at DLA use state-of-the-art techniques and software to recover your precious data, whether it was accidentally deleted or even stolen.

But, how can you head off such a disaster? Here are some hot ideas:

1. Hide Your Valuables
If a burglar breaks into your house, will she find your valuables lying around in plain sight? Or have you hidden them away safely? By the same token, even though your security suite or antivirus really should fend off data-stealing Trojans, protecting your personal data on the chance one might get through is just common sense. Having your data locked down will also help if that burglar makes off with your laptop.

2. Skip the Recycle Bin
When you need to dispose of papers that contain private information, you don't toss them in the recycling bin with the newspapers. Rather, you put them through the shredder. When deleting sensitive files, you should likewise avoid Windows's Recycle Bin.

3. Encrypt It!
A data-stealing Trojan will grab what it can get easily. Unless you're the target of a personally directed hack attack, you can figure that even simple encryption will defeat the Trojan. Got a sensitive file you need to keep, rather than shred? At the very least, copy it into an encrypted ZIP file and then shred the original.

4. Keep It Offsite
PCs break down, laptops get stolen, files get lost. A backup copy is the ultimate security for your data, but if you keep the backup with the computer a single disaster can take out both at once. A hosted online backup service encrypts your data and keeps it in a safe location far, far away.

Unless your PC functions as nothing but an entertainment centre, its loss or theft will have an impact far beyond the cost of a replacement. By taking steps to protect the important data on the PC you can keep that impact to a minimum.

Hide personal data, securely delete outdated sensitive files, and encrypt sensitive files that you're still using. That will keep a thief from stealing both your PC and your identity. Maintaining an offsite backup copy will ensure you don't lose access to the data files you really need to keep. A little effort now can save a huge headache later.

How to protect the private data on your phone

Your mobile phone carries all sorts of details that could damage you in the wrong hands. Here's how you can protect it from prying eyes.

• Register your IMEI number

The International Mobile Equipment Identity is used by police to trace a lost phone. Network providers use it to block a stolen phone. It's usually found under the battery, or via the phone's settings. Register it at a site such as immobilise.com.

• Remotely wipe all data

If you have lost your phone, you can clear the data before thieves download it. Android devices can use Google Sync along with Google Apps Device Policy to clear data remotely. Have you cleared your data and you want to get it back? Contact the digital experts at DLA and you can get your precious data back quickly and easily!

• Get antivirus protection

Now is the time to protect against malware and viruses, particularly on Android phones. There are subtle ways for developers and fraudsters to get to your data. Most computer antivirus-software companies provide apps to keep out malware and viruses that grab data.

• Download a phone-Finder app

Most smartphones now have GPS tracking -- which you can use to locate a lost phone. Apple's Find My iPhone app has been free since the introduction of iOS 4.2. Android users should try Theft Aware.