| on the computer | | | | Simply, DON’T! Computers like to be very |
| The biggest no-no. It writes large amounts of data | | | | orderly, so when you shut down they will do a lot of |
| to the hard disk, potentially wiping all traces of a | | | | housekeeping’ tidying up files, |
| deleted file forever. Data is automatically updated and | | | | overwriting deleted information and changing times |
| therefore altered. Turning the computer on affects | | | | and dates which are vital to any investigation. If you |
| the swap file and registry as well as the list of most | | | | have to turn the computer off, simply pull the plug. |
| recently used documents. Dates when a file was | | | | This freezes it and creates a snapshot’ in |
| created, last modified, last accessed and updated can | | | | time which can be forensically examined using a |
| all be unwittingly altered. | | | | whole range of tools. |
| Investigating email with email | | | | Jumping to conclusions |
| Investigating emails with an email client carries a host | | | | A common mistake when a computer crime is |
| of potential dangers. Going into a suspect’s | | | | committed is to assume guilt and embark on a witch |
| inbox in Outlook and reading an email which has not | | | | hunt for the culprit. |
| been opened before may create a read receipt, | | | | But is vital not to jump to conclusions. Just because |
| leaving a clear trace of the activity. Although often | | | | there is incriminating material on somebody’s |
| done to try and confirm suspicions, it can be | | | | computer does not mean they put it there. |
| considered tampering with the evidence. | | | | Somebody else may have hacked their password, or |
| Losing evidence | | | | it could have been a Trojan horse or other virus of |
| Failing to either make a forensic image of the hard | | | | which they had no knowledge, and therefore no |
| drives of staff when they leave, or replace the hard | | | | control over. |
| drive and store the original, runs the risk of losing | | | | Ignoring the evidence |
| important data and therefore being unable to | | | | Many first responders’ will miss vital |
| substantiate claims made at a later date. | | | | evidence by failing to follow correct procedures. |
| Creating a copy of a person’s computer as it | | | | Simply pulling the plug on thecomputer will wipe the |
| was when last used is key to preserving data. | | | | contents of RAM, which may contain useful |
| DIY data recovery | | | | information, particularly in cases of hacking or server |
| Unskilled staff attempting to recover data from | | | | damage. CDs, DVDs, digital cameras and personal |
| machines they suspect contain evidence is a big | | | | organisers on a person’s desk are also often |
| problem. Often, people can’t resist the urge | | | | overlooked. |
| to have a quick look’ when an incident | | | | Incorrectly marked tapes |
| occurs. And although in many cases technical support | | | | This is the bane of the life of a forensic analyst. It is |
| will be called in, unfortunately, they will generally not | | | | extremely frustrating when investigating an incident |
| have the specialist skills needed to investigate in an | | | | to find that he data on a back-up tape is different |
| evidentially-sound manner. Correctly recovering data is | | | | from what is stated on the label. It is vital to have a |
| expert work and should only be carried out by | | | | data back-up and retention policy and be consistent |
| suitably qualified professionals. | | | | in the implementation of it. Everyone involved in |
| Following evidential URLs | | | | security must be aware of what their |
| This is really dangerous territory. Apart from the risk | | | | organisation’s back-up procedures are. |
| of incriminating yourself in the case of child abuse | | | | Being careless with evidence |
| images you are essentially committing the same | | | | Badly-handled evidence can stop a criminal |
| offence’ as the suspect there is also | | | | investigation in its tracks. Evidence should always be |
| the possibility of compromising confidential data. You | | | | carefully secured and then packaged with care. If |
| should never click on links in emails, even when they | | | | not, fragile date can be damaged or even lost while |
| are from a supposedly trusted source. | | | | stored or being transported. |
| Preserving digital evidence - Shutting down the PC | | | | |