Search:

Forensic Computer Investigations Require Specific Protocol For the Legal Handling Of Recovered Data

Forensic computer investigations seek to gather evidence for determining whether computer systems have been used for unlawful or unauthorized activities. The evidence can reside in computers, storage devices and the network.

The investigations have to be conducted in a forensically sound manner acceptable to a court of law. Essentially this means that the evidence must be gathered in a manner that cannot be challenged in a court of law on grounds of tampering, inaccuracy, etc.

Forensic computer investigators require an awareness of legal issues involved as well as technical skill and familiarity with computer systems.

Collecting Evidence From Computer Systems

Taking digital photographs of the room, computers and surroundings is a typical starting point. This is done when the system is seized and before anything is changed.

A forensic computer investigator should be aware that the suspect who committed the unlawful activities could be an expert. This means that the person is quite likely to have installed anti-detection measures such as wiping out evidence whenever certain actions of an investigative nature are initiated.

Hence, the investigator should proceed in a manner that simulates an ordinary user when handling the computer.

When working with live systems, much of the data is in a highly perishable form. For example, the contents of RAM, which can include passwords, encryption keys and system/program settings, can disappear if the computer is powered off.

The investigator has to proceed in a manner that the more perishable data are collected first. The typical order will be:

Network connection that can reveal the points with which a computer had been connected to and what data was being transferred

RAM that can provide details of programs that were currently running or were recently run

System settings that can identify all users, currently logged in users, system date and time, currently accessed files and current security policies

Hard disks that can contain much of the data needed for the investigation must be imaged in such a way as to not affect the original drives data or impair any investigation using the image.

The forensic investigator then proceeds to collect all removable computer storage media such as CD/DVD, USB memory cards, music players, digital camera cards and so on. In addition to computer hardware and media, the investigator will collect printouts, notes and other physical evidence lying around.

Notes can contain user id password combos and security related instructions that make the task of investigation much easier. An even more valuable source is the user of the system, who can reveal passwords, encryption methods and other information that can help the investigation immeasurably.

Forensically Sound Computer Investigation

Courts scrutinize all evidence produced before them for acceptability. Defense lawyers can challenge the evidence by pointing to any actions or circumstances that make the evidence unreliable. It is thus highly important that all evidence be collected in a manner that leaves no room for such challenges.

The investigator has to document every action the person has taken. The evidence must be kept under safe custody in a manner that only authorized team members can access them. Analysis of storage media is done with copies and not with the originals, because the analytical procedures can change the contents.

The tools used must have been tested and evaluated to validate their accuracy and reliability. Exact duplicates of all storage media are made using such validated tools and it is these copies that are worked with.

The above are just some of the major concerns that illustrate how a forensic computer investigation proceeds. Only a trained investigator is likely to secure forensic evidence that can satisfy a court of law.

Conclusion

Forensic computer investigations seek to help determine whether unlawful or unauthorized activities have been committed using computer systems. The investigator collects data residing in network connections, computer memories, the computer hardware, hard disks and removable storage media.

The investigation is done using validated tools and in a manner that would be acceptable to a court of law. A forensic computer investigator requires legal awareness as well as technical skill to collect and analyze the gathered evidence.

Article Source: http://www.rightarticle.com

About Author:
Andy Butler from ABC Data Recovery writes about Forensic-Computer-Investigations visit www.abc-data-recovery.co.uk for further information.

Please Rate this Article

Not yet Rated

Click the XML Icon Above to Receive Data Recovery Articles Via RSS!

Additional Articles From - Home | Computers | Data Recovery

EDB Corruption after Mounting the Database - By : Andrew Watson
Effective Photo recovery through Mac Photo Recovery Software - By : Andrew Watson
The Other Side of Preview Pane of Outlook - By : Andrew Watson
What Are the Most Essential Features For a Managed Dedicated Server Plan? - By : Amy Nutt
What is Remote Data Backup and Why Would You Need It? - By :
Outlook does not recognize one or more names Error in Outlook - By : Andrew Watson
Disk First Aid Utility in Mac - By : Andrew Watson
Hard Drive Recovery: What Are Your Options? - By :
Random Freezes in Linux Distributions - By : Andrew Watson
Digital Forensics - Changing the Battle on Crime - By : MagnetikMan

	Print This Article
	Post Comment
	Add To Favorites
	Email to Friends
	Ezine Ready

Submit Articles
Member Login
Top Authors
Submission Guidelines
Ezine Notifications
Article RSS Feeds

New Stuff
About Us
Link to Us
Contact Us
Privacy Policy
Terms of Service

Must See These
Article Manual
Finance Manual
Health Manual
Web Directory