Collection of Evidence: Recover Deleted-Hidden Files
The manner in which electronic evidence is collected and preserved is crucial to any investigation or legal matter. The following are general guidelines companies should adhere to when collecting electronic evidence. Whenever possible a computer forensic examiner should be consulted.
- First and foremost, the company, with the help of their attorney, must first determine if they have a legal right to collect the data stored on the electronic device(s) of interest.
- Computer hard drives and most forms of digital media are time stamped every time they are accessed and modified. To preserve the evidence as it was last used, it is imperative to have the device turned off, the power cable removed and if possible, stored in a secure location. IT personnel, while very knowledgeable, can unintentionally alter, what may be critical data in an investigation simply buy using or reassigning a device to another employee.All suspects and witnesses should be removed from the general area where the electronic device is being stored. If this is not possible, the electronic evidence should be collected or preserved after regular business hours, when any suspects and witnesses are not present. Also, whenever possible, the suspects and witnesses should not be notified that evidence is being collected from an electronic device assigned to them.
- If it is not practical to move an electronic device to a forensic laboratory, a computer forensic examiner should image or replicate the device onsite, using generally accepted computer forensic methods. Keep in mind that the length of this process depends on the size of the hard drive(s) and the volume of data being imaged.
- Next, all information pertinent to the investigation should be gathered before any work is performed on the data contained on the electronic device. This includes password(s), identifying the type of operating system(s) used, screen names, e-mail addresses, software programs of interest, etc.
- The area immediately surrounding the location of the electronic device in question should be searched thoroughly for any evidence. Computer forensic examiners routinely photograph the entire work space and look for alternate data storage devices or signs of their use. External hard drives, floppy disks, USB flash drives, SD cards and readers, voice recorders, digital cameras, and even iPods can all be used to store data that may be relevant to an investigation.
- The collection of any electronic device should be documented using a Chain of Custody form. The Chain of Custody form should reference the date, name of the person collecting the electronic device, the name of the authorized person releasing the device, a detailed description of the electronic device in question and any identifying information, such as a serial number. Time-stamped photos of the electronic device should also be taken. If the collection of data from an electronic device (such as a laptop) is not practical to perform onsite, then the client can ship the electronic device to the computer forensic examiner. Photos of the device should be taken prior to shipping and include a cover letter with the shipment that describes the electronic device being shipped. The shipment should be traceable and the item should be packaged with a great deal of care.
Electronically stored data can easily be destroyed if the above referenced steps are not carefully followed.