First of all – STOP using
the computer or device! Any use of this may damage or taint any evidence
present. If the suspected computer is turned off, then leave it off.
If the computer or
device is on, do not go through the normal “Shut Down” process… rather call the
digital forensic experts first.
Do not allow your
internal IT staff to conduct a preliminary investigation.
It is important to
recognise that all you have initially is information and data, not actual evidence.
Unless your IT staff is certified in computer forensics and trained on
evidentiary procedures (very few are), they most likely have not followed other
accepted evidence techniques.
Another thing to keep in mind is that even if
proper evidence handling techniques have been used, the collection process
itself has most likely changed or altered the data collected. By opening,
printing and saving files, the meta-data is changed! Lastly, the simple act of
just turning on the computer changes files, caches, which along with the alteration
of the meta-data, may have seriously damaged or destroyed any evidence that was
present.
Depending on the
damage done, a skilled computer forensic specialist may be able to salvage the
damaged evidence. This however, can be an arduous and time-consuming process
which often costs several times more than it should. However, it is always
important to bear in mind that it is not always possible to restore evidence
from computers that have been mishandled.
Keep a detailed log of
who had access, what was done and where the computer has been stored since the
dates in question.
Computer forensics may
be an unknown and mysterious discipline to many, but it is easy to avoid the
most common mistakes by following the guidelines outlined! Only use certified
digital forensic experts, such as the professionals from DLA, contact them
today and get the job done right.
No comments:
Post a Comment