Computer Forensics Guidelines

Contributed by Andrew Whitehead

Computer Forensic Examination and Analysis

A thorough Computer forensic examination and its subsequent analysis is not something that can be done by anyone, a specialist in the field will be required to examine any suspect computer system that has been seized for this purpose. He will be able examine it as a detective rather than as an IT expert, he will not chase after isolated piece of information; instead he will let the clues and the digital data as a whole tell the story. To do this, and ensure that the evidence is acceptable to a court, he needs a foot in both camps – IT expert and detective.

Protecting Media during Computer Forensic Analysis

A computer forensic examination will follow several guidelines, starting with switching the computer on – he won’t do it. When a computer runs through the start up sequence access times of certain files is altered, and this information may be critical to the investigation. To avoid this the original media needs to be made safe, either by disconnecting the hard drive and booting from a floppy disk, or installing the hard drive as a slave drive in another machine.

He will Then make an exact copy of the disk, imaging it by creating a mirror disc bit by bit. He will keep a detailed record of the method used in case he is required to prove that the original image was not altered in any way. Any subsequent computer forensic analysis will carried out on the copy rather than on the original, to preserve the original data.

What is Looked at during a Computer Forensic Analysis?

Using that copy of the original disk, the computer forensic examination will focus on several areas; the free disk space, the file slack, and the swap files.

Free space is the unused space on the disk, but there will be areas that hold deleted files that can be recovered. File slack is the unused space at the end of a file cluster, this too may have been previously used to store files that are now deleted. Swap files are caches used to store information before it gets written to the hard drive, and they may contain valuable information.

With the rapidly growing capacity of hard drives it has become physically impossible for a human being to examine all the data that can be stored on a computer system, so many of the computer forensic consulting business have developed in-house software to assist in the examination of evidence; this avoids the licensing restrictions placed on major computer forensic evidence gathering programs by government agencies worried about abuse by hackers.

This software usually takes the form of a text search tool, and the computer forensic specialist will use a combination of his experience, background information about the case, deductive reasoning, and common sense, to devise list of key words. This list will be run through the search tool to locate relevant evidence. This method is popular because it neatly avoids encroaching on any private third-party information that may also be held on the drive.

Source :


Contact us

(Free initial consultation – no spam)

Contact form (1)

"*" indicates required fields

This field is for validation purposes and should be left unchanged.