Top 10 Ways People Damage Evidence

Turning on the computer
The biggest no-no. It writes large amounts of data to the hard disk, potentially wiping all traces of a deleted file forever. Data is automatically updated and therefore altered. Turning the computer on affects the swap file and registry as well as the list of most recently used documents. Dates when a file was created, last modified, last accessed and updated can all be unwittingly altered.

Investigating email with email
Investigating emails with an email client carries a host of potential dangers. Going into a suspect’s inbox in Outlook and reading an email which has not been opened before may create a read receipt, leaving a clear trace of the activity. Although often done to try and confirm suspicions, it can be considered tampering with the evidence.

Losing evidence
Failing to either make a forensic image of the hard drives of staff when they leave, or replace the hard drive and store the original, runs the risk of losing important data and therefore being unable to substantiate claims made at a later date.
Creating a copy of a person’s computer as it was when last used is key to preserving data.

DIY data recovery
Unskilled staff attempting to recover data from machines they suspect contain evidence is a big problem. Often, people can’t resist the urge to ‘have a quick look’ when an incident occurs. And although in many cases technical support will be called in, unfortunately, they will generally not have the specialist skills needed to investigate in an evidentially-sound manner. Correctly recovering data is expert work and should only be carried out by suitably qualified professionals.

Following evidential URLs
This is really dangerous territory. Apart from the risk of incriminating yourself — in the case of child abuse images you are essentially committing the same ‘offence’ as the suspect — there is also the possibility of compromising confidential data. You should never click on links in emails, even when they are from a supposedly trusted source.

Preserving digital evidence - Shutting down the PC
Simply, DON’T! Computers like to be very orderly, so when you shut down they will do a lot of ‘housekeeping’ — tidying up files, overwriting deleted information and changing times and dates which are vital to any investigation. If you have to turn the computer off, simply pull the plug. This freezes it and creates a ‘snapshot’ in time which can be forensically examined using a whole range of tools.

Jumping to conclusions
A common mistake when a computer crime is committed is to assume guilt and embark on a witch hunt for the culprit.
But is vital not to jump to conclusions. Just because there is incriminating material on somebody’s computer does not mean they put it there. Somebody else may have hacked their password, or it could have been a Trojan horse or other virus of which they had no knowledge, and therefore no control over.

Ignoring the evidence
Many ‘first responders’ will miss vital evidence by failing to follow correct procedures. Simply pulling the plug on the
computer will wipe the contents of RAM, which may contain useful information, particularly in cases of hacking or server damage. CDs, DVDs, digital cameras and personal organisers on a person’s desk are also often overlooked.

Incorrectly marked tapes
This is the bane of the life of a forensic analyst. It is extremely frustrating when investigating an incident to find that he data on a back-up tape is different from what is stated on the label. It is vital to have a data back-up and retention policy and be consistent in the implementation of it. Everyone involved in security must be aware of what their organisation’s back-up procedures are.

Being careless with evidence
Badly-handled evidence can stop a criminal investigation in its tracks. Evidence should always be carefully secured and then packaged with care. If not, fragile date can be damaged or even lost while stored or being transported. The evidence collection process should always begin with the creation of an incident log, in which the times and dates of any action taken are recorded.