Personal Computer Forensics
This page is for information relating to forensic investigation pertaining to PC technology.
There are several key items to remember when performing a forensic investigation on a PC. Computer Forensics involves a great many steps but these are some basics to remember.
|1.||Before removing or seizing a PC make sure to document all the connection and cables attached to the PC. This is important should your case go to trial. This is also helpful because it may identify other devices that are attached to the PC that could contain data such as external hard drives and PDA's.|
|2.||If the PC is running at the time of seizer photograph what screens are open or what programs appear to be running on the PC. Again this could be important should your case go to trial.|
|3.||If the PC is running should you power down the PC using the operating system? A lot will depend on the type of case you are working on. Using the operating system to power down the PC gives the operating system a chance to delete temporary file and make changes to date/time stamps. If in doubt unplug the PC from the power source. In many cases this will preserve the data environment as it was at the time power was removed.|
|4.||Never turn on the PC without having proper write blocking devices or software in place. The simple act of turning on the PC can possibly alter critical data. Windows based operating system while booting up will alter many date/time stamps in the system as well as date/time stamps of documents.|
|5.||Never work form the original data stored on the PC. Always make a forensic copy of the data and work from the copy. In fact making several forensic copies is recommended. Should something happen to the copy you are working with you still have another copy to work from.|