Computer Evidence Processing Guidlines

Only available on StudyMode
  • Download(s) : 318
  • Published : May 27, 2011
Open Document
Text Preview
FOUR GENERAL EVIDENCE PROCESSING GUIDELINES

Four General Evidence Processing Guidelines
Jennifer Farmer
American InterContinental University

Abstract
The best way to preserve digital forensic evidence is to follow the four guidelines created. The four guidelines pertain to evidence collection, storage, processing, retrieval and documentation.

Four General Evidence Processing Guidelines
Digital forensic evidence is extremely fragile and should be handled with care in order to avoid alteration which is why guidelines and procedures are created. There are four guidelines that should be followed in order to keep evidence in its most original state. Guideline One

Digital evidence is not readable; however a printout is can be submitted as evidence under the "best evidence rule". The best evidence rule applies when a person wants to submit a copy of a document because the original document is unavailable (Nolo Dictionary, 2011). **Collection**Any and all investigating officers should keep this in mind as well as have a warrant baring the proper wording and language that adheres to search and seizure of a personal computer in order to avoid violating any privacy rights. First the officer should check to see if the computer is on or off. If an officer finds that the computer is not on, he or she should not turn it on the evidence must not be altered; however if the officer finds the computer on then the officer should photograph the screen even if the screen is in sleep mode. Once the computer is photographed the power should be disconnected. In other words the modem should be drained of power by unplugging it. Next the officer should be sure to insert a police disc into the CD or DVD drive; bear in mind the disc should be blank and after inserting it the drive should be sealed. All other hardware connected to the system should be photographed in order to have a record of how the system was connected. All wires should be labeled separately and then the computer is transported from the scene in a secure vehicle and then stored in a secure area or room. A chain of custody must always be in order to know who handled the evidence and when (Ashcroft, Daniels & Hart, 2004). Guideline Two

**Storing**Once the computer is removed from the crime scene photographs of the scene must be taken also a thorough search must be conducted because the area may valuable information that may be needed during the investigation like; user ids and passwords. All other software discs, devices, manuals, notes and books should also be seized and stored in containers, sealed and marked. Any people at the site must be interviewed in order to obtain potential passwords and how to operate the software. After all the software evidence is collected it should also be transported in a secure vehicle and then brought to a secure location. Once the computer and all other software arrive at the secure location the original will be stored on backup discs that will be made. The backups that are made include all hard disks, CDs and DVDs. All evidence that is being processed should be carried out on the backups only this will reduce compromising the evidence already on the computer. The computer must remain in its original state. Most importantly the data security and the chain of custody must be maintained at all times. If the proper steps are not taken within the chain of custody and security measures are not taken questions relating to security issues will be raised in court (Ashcroft, Daniels & Hart, 2004). Guideline Three

**Processing** The data on all the computer evidence must be authenticated mathematically. There are different software that can assist in this process; however it is best to use the software that is the most current and...
tracking img