3.0 Computer Evidence: Processing Process

According to the International Organization on Computer Evidence, there are some principles that must be applied in order to recover digital evidence. The must apply principles are as follow:

  1. All digital evidence will apply the same general rules as evidence.
  2. The evidence must not be changed upon the process to seize the digital evidence. Precautions must be taken.
  3. Only a trained person can access to the original evidence when needed.
  4. Any activity to the evidence such as seizure, storage, access or travel must be documented, preserved and made available for review.
  5. The responsibility of the evidence is upon the person who possessed it at the time.

There is no such thing as a specific way to process the computer evidence. It basically relies on the circumstances of the cases itself. Processing them need a lot of skills and details. As in this blog, I will give you only a general guideline on how to process computer evidence.

  • Taking precautions.

Some precaution must be taken to minimize the risk of changing any evidence and also contamination to the evidence. This is as to preserve the sensitive evidence such as fingerprints and DNA. Precautions taken are not only for the benefits of the evidence but to the person taking the evidence themselves. It is to avoid any dangerous substance which is why the person must wear appropriate crime suits such as gloves and face masks.

  • Document the physical evidence.

Firstly is to document the physical evidence. Physical evidence here refers to the computer itself. To document the physical evidence, you can take the pictures of the computer such as the picture of the screen, the arrangements of the scene (which includes the computer) and others. This is important as to ensure the originality of the evidence. Labeling all evidence is also required as a procedure to avoid mistakes or carelessness in processing the evidence. The labels may include the name of the person responsible in collecting the evidence and his organization, descriptions of the material, the location of the material seized and the date and time.








  • Shut down the computer.

After documenting the physical evidence, you need to shut down the computer properly to avoid any changes to the evidence of the case. The process of shutting down is by commanding the operating system and then to pull out the plug. It is important for you to try to detect if there is any process or operation that can destruct or eliminate important data in the computer system. The simplest example is the screensaver which will automatically produces time delayed password. This will basically interrupt the process of shutting down the computer.

  • Document the system’s hardware configuration.

Processing the computer will require the computer to be removed to a secured place for which the computer needs to be disassembled. So, before disassembling the computer, pictures of the computer from every angle must be taken in order to ensure the right configuration of the computer. This is important as to the process of reassembling the computer after relocating it to the processing location. Different configuration may give effect to the operation of the system.

  • Relocating the computer to a secured location.

It is very important to transport or transfer the computer to another location which is more secured. This is to prevent any conduct that can destroy, damage or change the data needed. Irresponsible or curious individuals can have the possibility of doing those conducts which is why it is important to secure the computer. The simplest way to secure it is by not leaving the computer unattended and if you do, make sure that the computer is in a secured location.

  • Backups the hard disks and floppy disks.

After relocating the computer, you have to backups the hard disks and floppy disks before you operated the computer. The original evidence is not for touched unless there is compelling circumstances. The processing process must be done in the backup data, not in the original system.

  • The system data and time is to be documented.

Next, is to document the system data and time. This is to provide for a better standpoint in presenting the evidence and the documentation must be of accurate and precise. An hour different can create different consequences to the evidence.

  • Using key search words.

It is hard for a computer specialist to manually view each and every file on the hard disk. There is software which can help you make a list of key search words to help make your work more efficient.

  • .The processing of evidence.

It is to be noted that these processes may need skills and techniques. The processes are such as below:

· Evaluation of the windows swap file.

· Evaluation of the slack file.

· Evaluation of unallocated space or erased files.

· Searching of files, file slack and unallocated space for key words.

· Documenting file names, dates and times.

· Identifying the file, program and storage anomalies.

· Evaluation of the functionality of the program.

  • Findings documentation.

The documentation also includes documenting all software used in this process. Doing documentation for all findings is important so that they can be easily found and identified. For the software, make sure you use original software not pirated software. This is to avoid the evidence used to be questioned in presenting the case and this will give advantages to the other side.


bee ling said...

great info!!!!keep it up!!:-) u all interested want to be a expert in this field?hehe..