Protecting The Evidence

By Zaithyn Galter Published 06/10/2009 | Computer

The cardinal rule with all computer evidence is to protect it, as soon as possible, from deletion, contamination and modification and, where possible, to keep it in the same state and in the same location as it was at the time of the offence. Simply by turning the computer on and allowing it to boot into (say) Windows95 will make many changes to the contents of certain files on the disk. Now, these files may not be the ones of interest to the investigation but the modification of one file can cause previously deleted files containing valuable evidence to be lost for ever.

Likewise, making a backup of the disk will only copy the "live" files. None of the deleted files will be recovered and, just as importantly, the "slack space" between the end of one file and the beginning of the next will be totally ignored. This area is sometimes the source of evidential rich pickings.

The answer is a "forensic image". The use of evidentially sound imaging applications and practices is essential to maintain evidential continuity. Such imaging tools are not normally in the toolkit of the security or support department but are used by expert forensic analysts to produce exact images of every Bit of data on a hard disk. Imaging is carried out without launching the computers operating system, thereby preventing any changes to the contents of the disk under investigation. It also generates a log file which records all the parameters of the process from disk geometry, interface health and packet checksums to case details such as date, time, analysts name etc.

The forensic image can be used to generate an exact working copy of the original disk. The copy can then be placed back in the computer in place of the original which should be sealed in a bag and stored as the "original" evidence.

Adducing the Proof

A second copy is then taken from the forensic image which can be examined in lots of different ways. The forensic analyst will usually request a brief from the client as to what type of evidence is being sought. It is unwise and may be illegal, to go on what's called a "fishing trip" for evidence although it is not uncommon, while searching for one thing, to stumble across another. The art in locating evidence is being able to think like the abuser while keeping accurate, contemporaneous notes about what was done, why it was done, what was find and why it is being used as evidence. In court cases, computer evidence can be dismissed if even the slightest doubt over it's veracity can be shown, making the process of adducing the evidence correctly vital to the success of otherwise of the case.

Elizabeth Sheldon is a director of Evidence Talks, One of the most highly regarded computer forensics consultancies in the UK, Evidence Talks lead the way with unique solutions to some of the problems faced by industry today. More information visit-