Evidence obtained from computer hard drives that may have been deleted or hidden
Evidence will be most often found in files that are stored on hard drives, whether internal or external. Files may, of course, have been deleted and will need running of sophisticated recovery programmes. Dates and time of creation can be of vital importance, as can modification dates, deletion dates etc. Temporary back up files, web cache , address books etc may be re-created with application
User Created Files: May contain evidence of relevant activity, e.g. address books and database files that can prove associations with persons external or internal, or undisclosed communication. Images can be rebuilt even if deleted, as can video or scanned documents. Such files may be in the form of:
User Protected Files: A user may encrypt or password-protect important data, or hide files on a hard disk, within other files, or attempt to hide incriminating data under an innocent sounding name. User Protected files may be in the form of:
Computer Generated Files: Evidence may also be found in files and data areas that are created routinely by Operating Systems - something of which the user is often not aware. Password recovery is often achievable through recovery and examination. Some file components hold evidentiary value such as time and date creation/ modification / deletion / access; even turning the machine on may alter some of this information e.g. the last time a PC was booted may be of importance. Data may be retrieved from:
If in doubt - don't touch ! Never attempt to recover data or explore data from a computer without the necessary skills - this may affect the integrity of a chain of evidence to your later cost. When working with units our first move will be to clone the unit and conduct our work from the clone without booting the machine. By all means, however, take evidential photographs
Computer forensics is a generic name describing forensic analysis and reporting of computer or IT media. As well as the hard drive(s) this may include USB drives, MP3/4's, external drives etc. While most cases involve Windows Operating Systems we can also apply the same principles to Mac OS and Linux. Never make the error of believing that when you hit the delete key the information is gone - there is a high possibility deleted data may be recovered in it's entirety
We apply Computer forensics in investigation for many reasons including:
Computer Evidence determining an Employment Tribunal case as reported in the Daily Telegraph
Retrieving deleted data in corporate environments as evidence in investigation
Evidence gained from investigation of a computer has determined litigious decisions
Recreating deleted files and messages from a clone made of a computer hard drive
First Actions to take if you suspect a computer holds evidence that will make a watertight case
Mobile Phone Investigation - unravelling the secrets of a mobile phone
Maintaing the Evidence held on a computer will help to ensure the integirty of information
Action to take on-site what you should do first, what to touch and what not to touch and retain
