Forensic Computer Investigations Require Specific Protocol for the Legal Handling of Recovered Data

| Posted: 13-01-2008 | Comments: 0 | Views: 5 | Rating: (53)

(?)

Forensic computer investigations seek to gather evidence for determining whether computer systems have been used for unlawful or unauthorized activities. The evidence can reside in computers, storage devices and the network.

The investigations have to be conducted in a forensically sound manner acceptable to a court of law. Essentially this means that the evidence must be gathered in a manner that cannot be challenged in a court of law on grounds of tampering, inaccuracy, etc.

Forensic computer investigators require an awareness of legal issues involved as well as technical skill and familiarity with computer systems.

Collecting Evidence From Computer Systems

Taking digital photographs of the room, computers and surroundings is a typical starting point. This is done when the system is seized and before anything is changed.

A forensic computer investigator should be aware that the suspect who committed the unlawful activities could be an expert. This means that the person is quite likely to have installed anti-detection measures such as wiping out evidence whenever certain actions of an investigative nature are initiated.

Hence, the investigator should proceed in a manner that simulates an ordinary user when handling the computer.

When working with live systems, much of the data is in a highly perishable form. For example, the contents of RAM, which can include passwords, encryption keys and system/program settings, can disappear if the computer is powered off.

The investigator has to proceed in a manner that the more perishable data are collected first. The typical order will be:

Network connection that can reveal the points with which a computer had been connected to and what data was being transferred

RAM that can provide details of programs that were currently running or were recently run

System settings that can identify all users, currently logged in users, system date and time, currently accessed files and current security policies

Hard disks that can contain much of the data needed for the investigation must be imaged in such a way as to not affect the original drives data or impair any investigation using the image.

The forensic investigator then proceeds to collect all removable computer storage media such as CD/DVD, USB memory cards, music players, digital camera cards and so on. In addition to computer hardware and media, the investigator will collect printouts, notes and other physical evidence lying around.

Notes can contain user id password combos and security related instructions that make the task of investigation much easier. An even more valuable source is the user of the system, who can reveal passwords, encryption methods and other information that can help the investigation immeasurably.

Forensically Sound Computer Investigation

Courts scrutinize all evidence produced before them for acceptability. Defense lawyers can challenge the evidence by pointing to any actions or circumstances that make the evidence unreliable. It is thus highly important that all evidence be collected in a manner that leaves no room for such challenges.

The investigator has to document every action the person has taken. The evidence must be kept under safe custody in a manner that only authorized team members can access them. Analysis of storage media is done with copies and not with the originals, because the analytical procedures can change the contents.

The tools used must have been tested and evaluated to validate their accuracy and reliability. Exact duplicates of all storage media are made using such validated tools and it is these copies that are worked with.

The above are just some of the major concerns that illustrate how a forensic computer investigation proceeds. Only a trained investigator is likely to secure forensic evidence that can satisfy a court of law.

Conclusion

Forensic computer investigations seek to help determine whether unlawful or unauthorized activities have been committed using computer systems. The investigator collects data residing in network connections, computer memories, the computer hardware, hard disks and removable storage media.

The investigation is done using validated tools and in a manner that would be acceptable to a court of law. A forensic computer investigator requires legal awareness as well as technical skill to collect and analyze the gathered evidence.

Rate this Article:

Current: 0 / 5 stars - 0 vote(s).

Article Tags: Hard Drive Recovery, Raid Recovery, Laptop Data Recovery, Emergency Data Recovery Services, Pc/desktop Data Recovery, Usb Memory Stick Recovery, Document Recovery, Zip Disc Recovery, Floppy Disc Recovery

Article Source: http://www.articlesbase.com/data-recovery-articles/forensic-computer-investigations-require-specific-protocol-for-the-legal-handling-of-recovered-data-303420.html

Print article

Send to friend

Publish this Article

Author feedback

About the Author:

Andy Butler from ABC Data Recovery writes about Forensic-Computer-Investigations visit www.abc-data-recovery.co.uk for further information.

Submitting articles has become one of the most popular means of generating quality backlinks and targeted traffic to your website. Join us today - It's Free!

Article Comments

Add new Comment

Clean Room Data Recovery - What's Its Significance?
By: Andy Butler | 13/01/2008 | Data Recovery
What are clean rooms? Why is clean room data recovery important? We look at these issues first.

Data Loss and Data Recovery: an Overview
By: Andy Butler | 13/01/2008 | Data Recovery
Data stored on computers can get lost in several ways. To recover from such a situation the main option would be to restore from backed up data.Alternatively calling on the services of a specialist data recovery company. Reconstructing all the lost data manually is usually not a viable option.

Disaster Recovery Needs Contingency Planning
By: Andy Butler | 13/01/2008 | Data Recovery
Disaster recovery will be an unsatisfactory exercise if it is organized after a disaster strikes. Only a lot of advance planning and preparation can ensure that the business resumes operations quickly after a major disaster.

A Hard Drive Rebuild Can Vary Widely in Complexity
By: Andy Butler | 13/01/2008 | Data Recovery
Hard drive rebuild, in the general sense of the term, can mean a simple operation of replacing the firmware (controller card) and reprogramming it using specialist software. Or it can mean replacing the drive's precision components like its read/write head, done in Class 100 clean rooms by specialist data recovery technicians.

It Support Contracts: Take Pains to Ensure That your Needs are Met
By: Andy Butler | 13/01/2008 | Data Recovery
IT support contracts should be complete and transparent, and should not confuse you with obscure wording. If there is some unavoidable legalese that you don't understand, discuss it with your IT support contractor and get clarifications in writing and agree the level of service you require so that the contractor can supply an appropriate service level agreement (SLA ).

Memory Stick Repair is a Feasible Option
By: Andy Butler | 13/01/2008 | Data Recovery
You might not even know that memory stick repair facilities and data recovery facilities exist. Unaware of such a facility you might decide to abandon the valuable pictures that are on your memory stick. This can happen when you repeatedly receive a "Card not found" or Needs Formatting or similar error message when you try to retrieve the pictures from the memory stick.

Raid Data Recovery is a High Tech Exercise
By: Andy Butler | 13/01/2008 | Data Recovery
RAID data recovery requires a high level of technical skill and specialized facilities. Not all data recovery companies will have sufficient resources. So your first task if you come to need RAID data recovery is to find a data recovery company with a successful record of recovering data from all kinds of RAID systems.

Server Installation and Configuration Needs Experienced Professionals
By: Andy Butler | 13/01/2008 | Data Recovery
A properly configured and sufficiently powerful server installation can facilitate collaborative working, efficient communications and informed decision making.

Got a Question? Ask.

Ask the community a question about this article:

Q&A Powered by:

Latest Data Recovery Articles

Mmc Data Recovery
By: Brian Link | 17/07/2008
Almost everyone has a digital camera with a Multimedia Card (MMC) inside to store their photographs. Of course, as with all data storage devices, an MMC can suffer from data loss and require data recovery.

Mac Data Recovery
By: Brian Link | 17/07/2008
Even Apple's highly-touted Mac line of computers can suffer from data loss. Even though Mac owners would be afraid to admit that it can happen you should be prepared to learn about Mac data recovery.

Offsite Data Backup is Necessary
By: Brian Link | 16/07/2008
Offsite data backup is an increasingly popular way to provide your home or business with a safe and reliable way to keep your data safe. These backup facilities offer more protection against data loss than you can usually provide for yourself.

Data Recovery Services
By: Brian Link | 16/07/2008
Data recovery services are a necessary evil in today's technology environments. With data loss occurring each day, the demand for quality data recovery services is rising to try and meet the demand.

Epson Pp-100 – Print on Cds & Dvds so Easy Now!
By: Nathan Davies | 16/07/2008
The pp-100 is a disc producer from EPSON that lets you print the content of your choice on just any number of CDs & DVDs. It’s a user-friendly, convenient, and a faster tool for creating exact replicas of the desired content.

Repair Xls
By: Recovery Toolbox Inc | 16/07/2008
Software tool for a repairing corrupted Microsoft Excel *.xls, *.xlsx, *.xlt, *.xltx, *.xlm, *.xlmx files.

Customers Unimpressed by Corporate Blogs
By: atomxiao | 14/07/2008
The amount of blogs being started also experienced a setback. Back in 2006, Forrester counted 36 firms that had started promoting corporate blogs on their public websites. In 2007, the number of firms introducing a corporate blog dropped to 19.

Repair Excel
By: Recovery Toolbox Inc | 14/07/2008
Shareware software for a recovering damaged Microsoft Excel files versions 97/2000/XP/2003/2007 (*.xls, *.xlsx, *.xlt, *.xltx, *.xlm, *.xlmx files).

More from Andy Butler

Server Recovery Can Affect Business Survival
By: Andy Butler | 13/01/2008 | Data Recovery
Effective server recovery can prove absolutely essential for business survival because servers are critical to business operations. Servers are continuously supporting operations by serving files, applications, transaction data and other kinds of support information and tools without which businesses and individuals would find it harder to survive.

Article Categories

Article Marketing

Article Notepad

Stop Duplicate Content

Term Papers

Need Help?

Sign up for our email newsletter

Receive updates, enter your email below

Use of this web site constitutes acceptance of the Terms Of Use and Privacy Policy | User published content is licensed under a Creative Commons License.
Copyright © 2005-2008 Free Articles by ArticlesBase.com, All rights reserved. (5.52, 18)

Forensic Computer Investigations Require Specific Protocol for the Legal Handling of Recovered Data

Article Comments

Related Articles

Got a Question? Ask.

Latest Data Recovery Articles

More from Andy Butler

Need Help?

Site Links

Webmasters

Business Info

Sign up for our email newsletter