Ten Tips for Preserving Computer Evidence After an Incident

May 16th, 2008

If you have a possible trade secret case in your hands and believe you will
need computer forensics in the near future, there are some important steps to
take to ensure the collection of valuable data without spoliation. Treat the
scene as a true crime scene, and use these tips as a guideline for your trade
secret case:

  • Don’t touch anything. Leave the computer(s) just as you find them.
    Consult your computer forensics experts. Have computer forensic “images”
    of hard drives created to preserve evidence.
  • Don’t look for data yourself. Do not turn the computers on or attempt
    to “search” the machines for evidence… this can destroy or
    “overwrite” important files, or deem any evidence inadmissible in
    court.
  • Look for storage media. Inspect the workplace for removable portable storage
    devices such as external drives, CD-ROMs and disks.
  • Look for other digital media. If applicable, recover user’s cell phones
    and portable digital devices such and Blackberries, Palm products and iPods.
  • Maintain message accounts. Preserve the user’s e-mail accounts and
    voicemail accounts to avoid evidence spoliation.
  • Look for back-up tapes. When possible, preserve back-up tapes or other
    related media that may be important to your case.
  • Protect remote access. Review the user’s remote access accounts to
    protect against unauthorized access from outside the workplace.
  • Keep records. Protect the chain of custody of electronic evidence by documenting
    computer serial numbers, user locations, transportation of evidence, and important
    times and dates. Mark evidence appropriately and use property receipts. Document
    the steps you have taken to obtain and preserve computer evidence. Consider
    taking photos of computers, serial numbers and workspaces.
  • Look for printed evidence. Search the scene for potential documentation
    such as passwords, printed versions of electronic files and other relevant
    evidence.
  • Gain control. Secure anything that might be considered electronic evidence
    and control and restrict access to anything electronic.

    • Posted in: Articles & Resources »  by: Doug