Frequently Asked Questions —
Computer Evidence Basics
Basic computer hardware
For the purposes of evidence, think of a computer as a filing cabinet. The volume of information that can be stored on current computers is mind boggling. Most people are not aware of how much information their computer stores about them and what it does.
Where is information stored on a computer?
There are many types of storage media. These include: floppy disks, hard disks, ZIP disks, JAZ disks, Bernoulli cartridges, magnetic tape, magneto-optical cartridges, CD-ROM, CD-R, CD-RW, DVD …. The storage may also be on a network or in the cloud.
What type of evidence can be found on a computer?
Evidence can be found in many different forms: financial records, word processing documents, diaries, spreadsheets, databases, e-mail, pictures, movies, sound files, etc.
Where else can evidence be found on a computer?
A lot of information is stored in a computer of which most users are unaware. We can usually tell what a computer was used for, when it was used, what the user has done on the Internet (and when), and recover much of what the user wrote, read or viewed on the computer.
What happens when you 'delete' a file?
Think of a card catalog in a library. When you delete something, all you are throwing out is the card from the card catalog. The book remains on the shelf. The computer has only been told that the space on the shelf is available for use if necessary. If the computer does use that space, then the old file is overwritten and is gone. With our software tools we can find those 'old books' still on the shelves. Often, even if we can't get all of the "book" (deleted files), we can get substantial parts of it.
Who can allow a computer to be searched for evidence?
The owner of a computer can grant permission for it to be examined. A business may grant permission for a search on any of their computers, regardless of the user. In a civil dispute, the parties can agree to an examination or the court can order an examination. In a criminal case, the computer will usually first be seized by law enforcement. The opposing attorney can often request copies of the seized material and the report of its examination or request an examination by a private lab.
What does a computer forensic analyst do?
The first rule of computer forensic evidence analysis is "don't alter the evidence in any way." The simple act of turning on a computer can alter or destroy any evidence that might be there. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner. The examiner will document all work, write-protect all media, make copies of media (often referred to as a mirror image), perform an examination and analysis on the copies, and prepare a written report. Extra copies of the mirror images are often prepared for other investigators, attorneys or the opposing side. You may get the copies on CDs, tapes or some other media. Even these copies will need to be analyzed by an experienced professional.
What should be included in a computer forensic examination report?
As with the examination of any evidence, a well-documented chain of custody is a must. A forensic analysis should include notes taken by the examiner. These notes may not be included in a final written report, but they can and do get included in discovery requests. The report should detail the hardware examined, the procedures and software used in the examination and any evidence found. Often the volume of evidence is so large it will not be included in printed form, but will be included in electronic form (most often on CD or DVD).