Computer Forensics Investigation

When a crime is committed that requires a computer forensics investigation, there are typically four basic steps that are followed.

1. Secure the Crime Scene – Computer forensics expert(s) should be contacted immediately following the crime. They need to be first responders in order to best preserve the digital evidence. Delays in reporting can result in the contamination of digital evident by other users or destruction of the data.

2. Preserve the Evidence – Digital computer evidence is very fragile. It can be easily damaged, altered, or destroyed. Even the simple act of powering on a computer may destroy evidence.

Only trained computer forensics professionals should handle digital evidence. It is very important that the integrity of the data be maintained so that it can hold up in a court of law.

3. Establish the Chain of Custody – When responding to a crime scene, computer forensics teams must start and maintain a strict chain of custody of digital evidence.

The chain of custody documents the digital evidence and it was at all times once in custody. If there are gaps in the chain of custody, it can result in cases being dismissed because the evidence would be deemed unreliable.

4. Examine for Evidence – Once the original computer system is secured and a mirrored image copy has been made, the mirrored image is examined for evidence. An examination typically includes searching word processing documents, images, spreadsheets, e-mail files, and other documents on digital equipment for evidence.

Memory cache and Web browser cookies are also examined for evidence. Once the evidence has been examined, computer forensics experts write a report on their findings.