Data Replay Services

Computer Crime / Digital Discovery / CCTV Image Recovery / Computer Forensics

Archive for December, 2015

Common Mistakes In Computer Investigations

without comments

A number of common mistakes can arise during computer forensic investigation. The first and most frequent of these is the failure to maintain the proper documentation. The creation and maintenance of the documentation is both tedious and demanding, which is why this is one of the most common mistakes. Another is the inadvertent modification of data by opening files on the original evidence

Just opening a file from a computer’s hard drive to look at the contents results in the time stamps of the file being changed. This may hinder subsequent investigation or result in the evidence being rendered unusable. Another is the destruction of potential evidence as a result of the installation of software on the evidence media. The writing of software to the memory of the digital device or to a disk may result in evidence that was stored there, but not protected, being overwritten.

computer hard drive examinationWhile all of these mistakes may appear to be avoidable, there are times in some investigations where it is necessary to open a file on the original evidence before it has been copied or to install software in order to recover more evidence. This is particularly true of investigations into large networked systems that can not be isolated or easily turned off. When it is necessary to carry out such actions, it is essential they be recorded together with the reason such actions were taken.

Another common mistake made is failing to adequately control access to the digital evidence and maintain the chain of custody. When this occurs, it is almost impossible to proved the evidence has not been compromised.

Yet another instance is a failure by the investigator to know when they have reached the limits of their knowledge and to ask for assistance. We all like to think we are experts in our field, but in the area of digital forensics, the subject is now so vast and complex it is not possible for one person to have the necessary level of knowledge in all it’s relevant areas. Once the investigator exceeds their area of expertise, any evidence they recover will b of questionable value and may be challenged in the courts.

Written by Betty

December 4th, 2015 at 2:52 pm

Posted in Computer Crime