 |
LITIGATION
REFERENCE: GUIDELINES FOR PRESERVING COMPUTER EVIDENCE
|
 |
Proper
seizure and recovery of computer evidence requires the use of
non-invasive advanced computer software specifically designed for the
task. Such software recovers, searches, authenticates and documents
relevant electronic evidence during the course of internal
investigations or for use in civil or criminal litigation without
compromising the integrity of the original evidence. Electronic
evidence is fragile by nature and can easily be altered or erased
without proper handing. The following guidelines should be followed in
order to properly preserve and protect critical computer evidence.
Do
not operate any computer that may contain electronic evidence -
Merely turning on a subject computer will alter critical date stamps
and erase data contained in temporary files. It's critical that a
computer suspected of containing important evidence is not operated or
booted, and is removed to a secure location to await examination by a
trained computer forensic expert utilizing proper software.
If
the subject computer isn't in your possession, immediately send a
letter requesting preservation of the evidence - Often times,
litigants or potential litigants lack access to critical computer
evidence in possession of their adversaries or other third parties. In
these cases, a preservation request letter should be sent requesting
that all relevant computer data is immediately preserved until proper
recovery and analysis can be conducted through permitted access or
litigation discovery procedures.
Immediately
consult an experienced computer forensic expert - Many make the
mistake of involving untrained IT personnel or other resident "computer
hackers" to search the computer of a current or former employee. This
practice invariably results in the destruction or alteration of
critical evidence unless trained professionals use proper computer
forensic tools to acquire and process the evidence.
Ensure
that proper computer forensic software is utilized - EnCase is the
leading computer forensic software tool used by private industry and
law enforcement and has proven to be the most capable integrated
application for searching and recovering electronic data contained in
Windows 95/98/2000 and Windows NT files. Some private computer forensic
examiners choose to use antiquated tools they obtain free of charge or
are attempting to market their own inferior DOS-based tools. EnCase
ensures accurate search results and recovery of all existing "deleted"
evidence. The examination of a Windows file system with DOS-based tools
is a painstaking process that will invariably produce incomplete
results, or at best require hundreds of hours to accomplish what EnCase
can perform in a few minutes, resulting in substantial unnecessary cost
to the client. To receive complete and accurate results with a proper
evidentiary foundation, ensure that your computer forensics expert is
utilizing EnCase.
