< Day Day Up > 


Computer evidence is fragile by its very nature and the problem is compounded with the potential of destructive programs and hidden data. Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file. There really are no strict rules that must be followed regarding the processing of computer evidence. Every case is different and flexibility on the part of the computer investigator is important.

With that in mind, the following general computer evidence processing guidelines or steps have been provided. Please remember that these do not represent the only true way of processing computer evidence. They are general guidelines provided as food for thought:

  1. Shut down the computer

  2. Document the hardware configuration of the system

  3. Transport the computer system to a secure location

  4. Make bit stream back-ups of hard disks and floppy disks

  5. Mathematically authenticate data on all storage devices

  6. Document the system date and time

  7. Make a list of key search words

  8. Evaluate the Windows swap file

  9. Evaluate file slack

  10. Evaluate unallocated space (erased files)

  11. Search files, file slack, and unallocated space for key words

  12. Document file names, dates, and times

  13. Identify file, program, and storage anomalies

  14. Evaluate program functionality

  15. Document your findings

  16. Retain copies of software used[i]


    If you are not trained and have had a computer incident or threat, see sidebar, “Emergency Guidelines.”

start sidebar
Emergency Guidelines

The popularity of desktop and notebook computers has come with a mixed blessing. These wonderful tools contribute to increased productivity and help to facilitate communications and file transfers worldwide over the Internet. However, they also provide opportunities for abuse of corporate policies and the commission of computer-related crimes. Internet viewing of pornography has become a serious problem for corporations and government agencies. Embezzlements using computers have become commonplace in small- and medium-size businesses.

Computer forensic tools and techniques can help to identify such abuses. They can also be used to find and document evidence in a civil or criminal case. However, the computer evidence must be preserved and protected. As a result, it is important that things are done correctly as soon as a computer incident is identified. By following the guidelines listed here, you stand a good chance of preserving the evidence:

  • Don’t turn on or operate the subject computer.

  • Don’t solicit the assistance of the resident ‘computer expert.’

  • Don’t evaluate employee e-mail unless corporate policy allows it.


Computer evidence is very fragile and can easily be altered or destroyed if the wrong things are done.

Don’t Turn on or Operate the Subject Computer

The computer should first be backed-up using bit stream back-up software. When the computer is run, the potential exists for information in the Windows swap file to be overwritten. Internet activity and fragments of Windows work sessions exist in the Windows swap file. This can prove to be valuable from an evidence standpoint. In the case of a DOS-based system, the running of the computer can destroy deleted files. For that matter, the same is true of a Windows system. To save grief, don’t run the computer.

Don’t Solicit the Assistance of The Resident Computer Expert

The processing of computer evidence is tricky to say the least. Without proper training, even a world-class computer scientist can do the wrong things. Like any other science, computer science has its areas of specialty. Computer forensics investigators typically get calls after the fact and are informed that a computer-knowledgeable internal auditor or systems administrator has attempted to process a computer for evidence. In some cases, valuable evidence is lost or the evidence is so tainted that it loses its evidentiary value. For these reasons, seek the assistance of a computer specialist who has been trained in computer evidence processing procedures. Do this before you turn on the computer!

Don’t Evaluate Employee E-Mail Unless Corporate Policy Allows It

New electronic privacy laws[ii] protect the privacy of electronic communications. If your corporate policy specifically states that all computers and data stored on them belongs to the corporation, then you are probably on safe ground. However, be sure that you have such a policy and that the employee(s) involved have read the policy. Furthermore, it is always a good idea to check with corporate counsel. Don’t be in a hurry and do things by the book! To do otherwise could subject you and your corporation to a lawsuit.[iii]

end sidebar

Shut Down the Computer

Depending on the computer operating system, this usually involves pulling the plug or shutting down a network computer using relevant commands required by the network involved. At the option of the computer investigator, pictures of the screen image can be taken. However, consideration should be given to possible destructive processes that may be operating in the background. These can be in memory or available through a connected modem. Depending on the operating system involved, a password-protected screen saver may also kick in at any moment. This can complicate the shutdown of the computer. Generally, time is of the essence and the computer system should be shut down as quickly as possible.

Document the Hardware Configuration of the System

It is assumed that the computer system will be moved to a secure location where a proper chain of custody can be maintained and evidence processing can begin. Before dismantling the computer, it is important that pictures are taken of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important, so that it can easily be reconnected when the system configuration is restored to its original condition at a secure location.

Transport the Computer System to a Secure Location

This may seem basic, but all too often seized computers are stored in less than secure locations. War stories can be told on this one that relate to both law enforcement agencies and corporations. It is imperative that the subject computer is treated as evidence and stored out of reach of curious computer users. All too often, individuals operate seized computers without knowing that they are destroying potential evidence and the chain of custody. Furthermore, a seized computer left unattended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of custody can make a savvy defense attorney’s day. Lacking a proper chain of custody, how can you say that relevant evidence was not planted on the computer after the seizure? The answer is that you cannot. Don’t leave the computer unattended unless it is locked up in a secure location!

Make Bit Stream Back-ups of Hard Disks and Floppy Disks

The computer should not be operated and computer evidence should not be processed until bit stream back-ups have been made of all hard disk drives and floppy disks. All evidence processing should be done on a restored copy of the bit stream back-up rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream back-ups are much like an insurance policy and are essential for any serious computer evidence processing.

Mathematically Authenticate Data on All Storage Devices

You want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you rebut allegations that you changed or altered the original evidence. Since 1989, law enforcement and military agencies have used a 32-bit mathematical process to do the authentication process. Mathematically, a 32-bit validation is accurate to approximately one in 4.3 billion. However, given the speed of today’s computers and the vast amount of storage capacity on today’s computer hard disk drives, this level of accuracy is no longer accurate enough. A 32-bit CRC can be compromised.

Document the System Date and Time

The dates and times associated with computer files can be extremely important from an evidence standpoint. However, the accuracy of the dates and times is just as important. If the system clock is one hour slow because of daylight-saving time, then file timestamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential.

Make a List of Key Search Words

Because modern hard disk drives are so voluminous, it is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive. Therefore, state-of-the-art automated forensic text search tools are needed to help find the relevant evidence. Usually some information is known about the allegations, the computer user, and the alleged associates that may be involved. Gathering information from individuals familiar with the case to help compile a list of relevant key words is important. Such key words can be used in the search of all computer hard disk drives and floppy diskettes using automated software. Keeping the list as short as possible is important and you should avoid using common words or words that make up part of other words. In such cases, the words should be surrounded with spaces.

Evaluate the Windows Swap File

The Windows swap file is a potentially valuable source of evidence and leads. In the past, this tedious task was done with hex editors, and the process took days to evaluate just one Windows swap file. With the use of automated tools, this process now takes only a few minutes. When Windows 95, 98, 2000, and XP are involved, the swap file may be set to be dynamically created as the computer is operated. This is the default setting, and when the computer is turned off, the swap file is erased. However, all is not lost because the content of the swap file can easily be captured and evaluated.

Evaluate File Slack

File slack is a data storage area of which most computer users are unaware.[iv] It is a source of significant security leakage and consists of raw memory dumps that occur during the work session as files are closed. The data dumped from memory ends up being stored at the end of allocated files, beyond the reach or view of the computer user. Specialized forensic tools are required to view and evaluate the file slack; file slack can prove to provide a wealth of information and investigative leads. Like the Windows swap file, this source of ambient data can help to provide relevant key words and leads that may have previously been unknown.

On a well-used hard disk drive, as much as 900 million bytes of storage space may be occupied by file slack. File slack should be evaluated for relevant key words to supplement the keywords identified in the previous steps. Such keywords should be added to the computer investigator’s list of key words for use later. Because of the nature of file slack, specialized and automated forensic tools are required for evaluation. File slack is typically a good source of Internet leads. Tests suggest that file slack provides approximately 80 times more Internet leads than the Windows swap file. Therefore, this source of potential leads should not be overlooked in cases involving possible Internet uses or abuses.

Evaluate Unallocated Space (Erased Files)

The DOS and Windows ‘delete’ function does not completely erase file names or file content. Many computer users are unaware that the storage space associated with such files merely becomes unallocated and available to be overwritten with new files. Unallocated space is a source of significant security leakage and it potentially contains erased files and file slack associated with the erased files. Often the DOS Undelete program can be used to restore the previously erased files. Like the Windows swap file and file slack, this source of ambient data can help to provide relevant key words and leads that may have previously been unknown to the computer investigator.

On a well-used hard disk drive, millions of bytes of storage space may contain data associated with previously erased files. Unallocated space should be evaluated for relevant key words to supplement the keywords identified in the previous steps. Such keywords should be added to the computer investigator’s list of key words for use in the next processing step. Because of the nature of data contained in unallocated space and its volume, specialized and automated forensic tools are required for evaluation. Unallocated space is typically a good source of data that was previously associated with word processing temporary files and other temporary files created by various computer applications.

Search Files, File Slack, and Unallocated Space for Key Words

The list of relevant key words identified in the previous steps should be used to search all relevant computer hard disk drives and floppy diskettes. There are several forensic text search utilities available in the marketplace. Some of these tools are designed to be state-of-the-art and have been validated as security review tools by the federal government intelligence agencies.

It is important to review the output of the text search utility, and equally important to document relevant findings. When relevant evidence is identified, the fact should be noted and the identified data should be completely reviewed for additional key words. When new key words are identified, they should be added to the list and a new search should be conducted using the text search utility. Text search utilities can also be used effectively in security reviews of computer storage media.

Document File Names, Dates, and Times

From an evidence standpoint, file names, creation dates, and last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and ‘erased’ files. The file should be sorted based on the file name, file size, file content, creation date, and last modified date and time. Such sorted information can provide a timeline of computer usage. The output should be in the form of a word-processing-compatible file that can be used to help document computer evidence issues tied to specific files.

Identify File, Program, and Storage Anomalies

Encrypted, compressed, and graphic files store data in binary format. As a result, a text search program cannot identify text data stored in these file formats. Manual evaluation of these files is required and, in the case of encrypted files, much work may be involved. Depending on the type of file involved, the contents should be viewed and evaluated for its potential as evidence.

Reviewing the partitioning on seized hard disk drives is also important. The potential exists for hidden partitions and/or partitions formatted with a non-DOS-compatible operating system. When this situation exists, it is comparable to finding a hidden hard disk drive; volumes of data and potential evidence can thus be involved. The partitioning can be checked with any number of utilities including the DOS FDISK program or Partition Magic™. When hidden partitions are found, they should be evaluated for evidence and their existence should be documented.

If Windows 95, 98, 2000, and XP are involved, it makes sense to evaluate the files contained in the Recycle Bin. The Recycle Bin is the repository of files selected for deletion by the computer user. The fact that they have been selected for deletion may have some relevance from an evidentiary standpoint. If relevant files are found, the issues involved should be documented thoroughly.

Evaluate Program Functionality

Depending on the application software involved, running programs to learn their purpose may be necessary. When destructive processes that are tied to relevant evidence are discovered, this can be used to prove willfulness. Such destructive processes can be tied to hot keys or the execution of common operating commands tied to the operating system or applications.

Document Your Findings

As indicated in the preceding steps, it is important to document your findings as issues are identified and as evidence is found. Documenting all of the software used in your forensic evaluation of the evidence, including the version numbers of the programs used, is also important. Be sure that you are legally licensed to use the forensic software. Software pirates do not stand up well under the riggers of a trial. Smart defense lawyers will usually question software licensing; you don’t want to testify that you used unlicensed software in the processing of computer evidence. Technically, software piracy is a criminal violation of federal copyright laws.

When appropriate, mention in your documentation that you are licensed to use the forensic software involved. Screen prints of the operating software also help to document the version of the software and how it was used to find and/or process the evidence.

Retain Copies of Software Used

Finally, as part of your documentation process, it is recommended that a copy of the software used be included with the output of the forensic tool involved. Normally, this is done on an archive Zip disk, Jazz disk, or other external storage device (external hard disk drive). When this documentation methodology is followed, it eliminates confusion (about which version of the software was used to create the output) at trial time. Often it is necessary to duplicate forensic-processing results during or before trial. Duplication of results can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained.


There is a high probability that you will encounter this problem because most commercial software is upgraded routinely, but it may take years for a case to go to trial.

[i]“Computer Evidence Processing Steps,” New Technologies, Inc., 2075 NE Division St., Gresham, Oregon 97030, 2001. (©Copyright 2002, New Technologies, Inc. All rights reserved). 2001

[ii]John R. Vacca, Net Privacy: A Guide to Developing and Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill Professional, 2001.

[iii]“Computer Incident Response Guidelines,” New Technologies, Inc., 2075 NE Division St., Gresham, Oregon 97030, 2001. (©Copyright 2002, New Technologies, Inc. All rights reserved). 2001

[iv]John R. Vacca, The Essential Guide to Storage Area Networks, Prentice Hall, 2002.

 < Day Day Up >