Jude Lacour: Proper Procedures for Preparing Devices for Computer Forensics
Expert testimony supported by science and technology was formerly accepted without question. As technical evidence is becoming more commonplace, it is also falling under more public scrutiny. Computer evidence, for example, needs to be processed and documented thoroughly in order to stand up to being challenged in court. However, done properly, computer forensics can be a defense team’s strongest support.
As a defense attorney or private citizen suspected or charged with a crime, you might require computer forensics services. In that case, how do you best prepare any items that a computer forensics team might need to analyze?
Much like any type of evidence, preservation of computer evidence is essential to its processing. Therefore, the more you know about preparing for a computer forensics team, including handling items and documenting all your steps before handing them over, the more you can safeguard against potential problems.
Foremost, you must take proper security steps in protecting the information stored in items such as desktops, laptops, and other storage media like portable hard drives or CDs/DVDs. Something simple such as turning on or off the unit without following the proper recommended steps (which you should follow anyway in daily use), for instance, might cause serious damage to the information stored and to the investigation itself.
The following are some simple tips and techniques to keep in mind
1. Never touch the physical structure of the device. As all evidence presented in court, the item cannot be contaminated. Fingerprints and other physical evidence must be left undisturbed. In addition, the device must be left where it is. You should not move it.
2. As previously mentioned, proper documentation must be taken in all steps dealing with evidence. For example, before a computer unit is moved, you should take a photograph of it. The computer screen especially should be photographed before the unit is shut down for transportation as any information displayed onscreen might be crucial evidence. Unfortunately, it might also be the only remaining evidence should something unexpected happen to the unit during transport.
3. The device or any peripheral devices attached to it (such as printers, cables, and more) should never be used or touched as well.
4. Be careful with electrical outlets, switches, surge protectors, or any power supply that might cause the device to shutdown unexpectedly if accidentally touched. Again, this could lead to data loss.
5. If the device is attached to a network, wait for the expert to take a look at it. Information is shared in networks and any outside interference might compromise the data stored.
In conclusion, being aware that any action on your part might compromise computer evidence and taking the steps to prevent and prepare will make your computer forensics team more efficient and effective on the job. Data loss, especially, is a common problem resulting from being uninformed. Simple mistakes we probably make daily in handing computer devices can obstruct your computer forensic team’s thoroughness and threaten the investigation altogether.
