Sometimes the need for formalized computer forensics methodologies is not clear to investigators at the onset of an investigation. One of the best examples of this type of situation is in the commercial setting when the computer of a terminated employee is given the once-over by an internal information technology staff member.
We can imagine the orders given to the IT staff: “Just take a look at the computer, and tell me if you find anything suspicious.” It is assumed that IT personnel know what information is of importance to the company, such as trade secrets, business practices, and intellectual property.
Unfortunately, if the IT staff member has not been trained in formalized computer forensics methodologies, artifacts of potential evidentiary value may lose their value in court and overall admissibility in court, or worse yet, evidence may be destroyed altogether.
In a well-publicized trade-secret theft case, Gates Rubber Co. v. Bando Chemical Indus., Ltd., nonstandard forensics procedures by the plaintiff’s own expert resulted in the loss of potentially valuable artifacts to the case [Frd01]. In the Gates case, the computer forensics expert was criticized for making a file-by-file copy rather than a bit stream copy of the evidence disk.
By not making a bit stream copy, potential evidence in unallocated or disk slack space was overlooked. The court determined that there was a mandatory legal duty on the part of the litigants to perform proper computer forensics investigations.
This seminal case identifies the need for sound forensics methodologies to be used from the onset of suspicion. It is essential for all computer forensics investigators involved in the collection of digital data to understand the basic nature of that data, that is, the data is very fragile and can become contaminated easily, and you often get only one chance for collection.
Related posts:
- Introduction to Computer Forensics (2) If proper care is taken during the identification and collection...
- What is Volatile Data? In the early days of computer forensics investigations in the...
- What is Volatile Data? (4) 6. The BIOS will, based on configuration, attempt to read...
- What is Volatile Data? (2) This limited definition occurs partly because most computer forensics investigators...
- The Minicomputer Challenge (3) In addition, the minicomputer greatly expanded the size of the...
