 |
EVIDENCE
RECOVERY: STEPS TO PRESERVE (OR DESTROY) ELECTRONIC EVIDENCE
|
 |
Preservation
of electronic evidence is critical and the PC or other media should be
treated similar to a crime scene. Depending on numerous factors,
electronic evidence can be very perishable, or can last for years. The
key to the success of electronic discovery and forensic examinations is
to gain access to (or preserve the integrity of) the target media as
quickly as possible. PCs should not be powered up or used until it's
data can be imaged by a forensic examiner. Relevant target media
includes not only PC hard drives, but other types of storage media
including tape backups and archives, floppy diskettes, PDAs (personal
digital assistants such as Palms) and other removable electronic media.
Recently
we have observed an increase in the types of actions that can impact
the integrity and availability of electronic evidence including:
- the
use of data compression, disk de-fragmentation and optimization programs
- the
downloading or transfer of large files (such as .JPG pictures) which
rapidly overwrite data in unused clusters
- the
use of programs that overwrite sectors with a string of 0’s, such as
Norton Utilities’ Wipe-Info
- the
reuse of back-up tapes
- installing
new software applications
- low
level formats, operating system formats, partitioning formats, etc.
- deleting
of temporary Internet files, browser history and cookies
- changing
of the time clock on the computer.
All
of the steps taken above will destroy potentially recoverable evidence,
and a number of the steps above could wipe the drive clean. Any of the
steps above could alter, delete or modify recoverable evidence.
