Preservation in computer forensics. The next step is to preserve evidence assuming that it may include information or documents to be used in a criminal or civil trial. The first steps taken at the scene should be the same as taken at any potential crime scene. The investigator should plan for the case to end in a trial. Therefore, decisions made at the first moment the investigator realizes the case may be fraud-related should be about preserving the evidence for a criminal or civil trial.
Preservation In Computer Forensics
Mishandling evidence may result in the evidence being discarded in a trial. Therefore, properly turning on, searching, or shutting down a suspect computer should be a high priority and are best addressed by first consulting with computer forensics professional. Simply turning on a computer can change metadata, such as time and date stamps on many files. Metadata might include operating system data, data on user or last print time, or similar administrative information. Such data can be extremely important.
Computer forensics professionals determine which handling methods should be used to preserve and analyze data in a specific situation in a cost-effective manner. There may be options for analyzing only a portion of a hard drive or for reviewing network files in search of information during an investigation.
Example:
A business manager was suspected of embezzling. The business owner’s first reaction was to turn on the manager’s computer and look for files. However, doing so changed several hundred files’ time and date stamps. After the computer data has been secured and preserved, the investigator can conduct computer searches without concern for altering the data.
Internal audit departments should have at least one auditor who is familiar with the search functions of a major computer forensics program. These programs generally have high-quality search features and can be used to search the computer data extensively for further information about the fraud.
Investigators without computer forensic expertise may be able to copy the hard drive from a suspect computer to another hard drive or a network file.
Preparation Or Extraction
Examiners begin by determining whether there is sufficient information to proceed. They ensure that a clear request is in hand and that there is enough data to attempt to respond to it. If something is missing, they work with the requester to find it. Otherwise, they will proceed with the process setup.
The first step in any forensic process is to validate all hardware and software to ensure proper operation. The forensics community is still divided on how frequently software and equipment should be tested. Most people agree that organizations should validate every piece of software and hardware after purchasing it and before using it. They should also retest following any updates, patches, or reconfiguration.
Final Thoughts
A plan to extract data is developed after examiners verify the integrity of the data to be analyzed. They organize and shape the forensic request into questions they can answer. They select the forensic tools that will allow them to answer these questions. Examiners usually have a rough idea of what to look for based on the request.
They add these to a “Search Lead List,” which is a running list of items that have been requested. For example, the request could include the lead “search for child pornography.” Examiners explicitly list leads to help focus the examination. They add new leads to the list as they develop them, and as they exhaust leads, they mark them as “processed” or “done.”