Forming a Computer Evidence Recovery Plan


Preface and Methodology

A court order may authorize the seizure of a computer so that evidence may be extracted from the computer's hard drive. This paper outlines five phases required to recover computer evidence data. By following the outlined procedure one would minimize the chance that the extracted evidence could be compromised.

To insure the integrity of the computer evidence it is proposed that all data files should be copied onto write once only CD-Read Only Memory (ROM) disks. The alternative approach is to "clone" the computer hard drive. While the cloning approach at first sounds logical, there are some problems involved with this method.

All hard drives by their very definition are read and write media. This means that once information is cloned onto a hard drive it can be altered. It would be nearly impossible to change or alter data on a write once only CD-ROM. Secondly, when you copy a hard drive, you would be copying everything, including all the operating software.

This can occupy a fair amount of memory. In reality, the evidence is usually found on data files. Data files typically account for a much smaller portion of the hard drive's space and so would be easier to deal with.

In the event that time or circumstances does not permit the sorting out of operating software and data files from the computer, the hard drive may be cloned. This should be done with strict custody of evidence procedures so that there could be no doubt that data files were ever altered. If the hard drive is cloned, it is still recommended that data files subsequently be copied onto CD-ROMs. This would enable faster file searches without the risk of changing the files and hence risking evidence contamination.

Once these steps are followed it would preclude any challenges that the evidence was compromised.

Phase 1: Preliminary Procedure - Obtain Log On Names and PINs

  1. Request evidence computer log on name and password or Personal Identification Number (PIN).

  2. Request evidence computer e-mail log on name and password and or PIN.

  3. Request evidence computer encryption codes, encryption passwords, and software for the data files if applicable.

Note: A court order may be required for the above information.

Rationale for Phase 1

The computer that contains the evidence may have a user password and PIN log on requirement. Similarly, the computer may have an e-mail password and PIN log on. If the passwords and PINs are not readily available, it will be more difficult and time consuming to access the computer's files.

Note: Specific files may be encrypted. It may be very difficult if not impossible to access these encrypted files without the encryption software and code.

Phase 2: Evidence Access and Duplication

  1. Identify all data files including hidden and deleted files. Identify e-mail message files.

  2. Copy identified files onto CD-ROM write once only disks.

  3. After all the copies are completed, certify that each file was copied from the evidence computer.

Note: Use log sheet that will have a listing of files and a signature of an authorized witness as each file or group of files is copied.

Rationale for Phase 2

There are usually three types of data files to identify. These are text files, spreadsheet files and graphic files. These data files will usually contain evidence. These data files should be categorized and assigned folders with labels for evidence tracing purposes. The labels may be identical to those on the existing computer folders. The files and their associated folders can now be copied on a write once only CD-ROM. The evidence will thus stay intact and unalterable by the vary nature of the recorded medium.

Phase 3: Software Identification

  1. Identify all software used in the evidence computer.

  2. Identify e-mail account client and provider.

  3. Have available another computer (called Computer No. 2). Load the software on this secondary computer that has been previously identified.

  4. Load the CD-ROM disc (previously recorded with data files) into Computer No. 2.

  5. Review and print all or selected evidence data files as required.

Rationale for Phase 3

The previously copied files must now be viewed. This will require the identification of the associated software. Most likely it will be Microsoft Word, Microsoft Excel and perhaps an additional graphic program such as PowerPoint. The e-mail software should also be identified. All the required software thus identified should be installed on another computer. This computer should be labeled Computer No. 2. Computer No. 2 will be used to view and print the evidence files.

Phase 4: E-Mail Evidence Discovery

  1. Identify e-mail provider.

  2. Request any available e-mail files from e-mail provider's server.

Note: Access to the evidence computer's e-mail server may require a court order.

Rationale for Phase 4

E-mail evidence may be found on the e-mail client server. The e-mail provider can be identified from the information on the evidence computer's hard drive files. In addition, email address books should also be reviewed to identify other evidence.

Phase 5: Review of Evidence

This is the final phase of the evidence discovery from the evidence computer. All evidence files are now on CD-ROMs and Computer No. 2 has the requisite software loaded to view and evaluate the evidence.

The attorney may now want to search on a key phrase or name(s) contained within all the files to quickly sort out any specific evidence. Or, the attorney may want to sort files by date and review a chronology of events. All these options are available for evidence discovery.

Copyright © 2004 Harold Minuskin, All rights reserved. No portion of this article may be reproduced without the express written permission of the copyright holder. If you use a quotation, excerpt or paraphrase of this article, except as otherwise authorized in writing by the author of the article you must cite this article as a source for your work and include a link back to the original article from any online materials that incorporate or are derived from the content of this article.

This article was last reviewed or amended on Jun 15, 2017.