|
When someone leaves evidence of misdeeds on a computer it is necessary to use the right tool to recover the evidence. Just like a fingerprint technician has to use the right tools and expertise - computer investigations are specialized.
Just hooking someone's hard drive to another computer can make significant changes to the drive. For example, Windows will reach out and touch the recycled files on startup and may alter other files.
Hardware tools to prevent writing on disks during an investigation are crucial. Often specialized software can accomplish the same task.
It is critical to use the right tools for evidence gathering.
|
| | |  | | 
"All the evidence is right here!"
A network guy in the company copied all of the relevant files to a disk. An executive gave us the disk.
It was worthless.
No one had thought to keep a chain of custody for the evidence. The normal forensic procedures like cryptographic checksum verification were not followed. No one person knew the whole story. No written notes from process were available.
What judge would allow junk like this into evidence?
| | | | |
