10 Ways to Compromise a Computer Forensics Investigation

Much like the value of physical evidence at a crime scene, the value of the data stored in computers is crucial to successful litigation. In fact, it can make or break the outcome of a lawsuit. Here are 10 ways to compromise a computer forensics investigation, many of which happen all too often:

1. Not Talking to the Client


In-house counsel, IT staff, and every business player involved with the case should be included when conducting e-discovery for a client corporation. Failure to involve all parties can result in overlooked or lost data. Also, computer forensic investigators have invaluable experience that may apply to your situation that they can share with you when involved with the process from the beginning.

2. Failure to Learn the Lingo

Even tech-savvy support professionals may become confused by the expanded vocabulary employed by computer forensics experts. It pays to become familiar with the new language. For example, a "custodian" actually refers to the keeper of electronic data or the employee source during an investigation. Your expert should be able to communicate very technical concepts to the layperson, but the client needs to make time in order to learn the process that is occurring.

3. Not Making a Forensics Image of the Computer(s) Involved

Imaging is the process in which one creates a complete duplicate of a hard drive. This is done for the purpose of copying a complete and accurate duplicate of the original materials with no risk of flawed or overlooked data. The imaging process allows the computer examiner to also verify the contents of forensic copy. This will eliminate the argument that a file was not completely copied or parts of the drive were not preserved.

4. Booting Up the Computer

The simplest of operations can sometimes have the most damaging effect. Turning on a computer that's relevant to a case can overwrite sensitive files that may be important to your case and change important time stamps. The computer should not be used at all and should be stored in a secure location until it can be handed over to the computer forensics expert. Data may reside on a frequently used server in some cases. Call a computer forensic expert immediately if it is not possible to remove the server from operation.

5. Turning Off a Seized Computer

If a computer is running at the time it is seized, it should be powered down in a way that will be least damaging to potential evidence. The correct method depends on multiple factors, such as which operating system is being used. One method may be applicable to one operating system and may lead to catastrophic failures for another operating system.

6. Browsing Through the Files on a Computer

Resist the temptation to snoop, even with the best intentions. You may know exactly where to look, but it's the act of looking that causes problems when it comes to retrieving untainted evidence. Browsing through files may cause file times to change, which may make it impossible to tell exactly when an important file was deleted or copied from your network.

7. Waiting to Preserve the Evidence

In many cases, clients will delay preserving the evidence until it is absolutely necessary in hopes of saving time and money. The longer a computer is in operation without any preservation, the more likely it is that the data relevant to your situation may be permanently altered or overwritten. Forensic analysis of this data becomes more costly and cumbersome. Always preserve your electronic data the moment you believe that litigation is possible. Spending a few hundred dollars now could save thousands down the road.

8. Failure to Maintain a Proper Chain of Custody at the Time of Collection

Not documenting who had access to the electronic evidence after the alleged incident can lead to problems down the road. Opposing counsel can poke holes in the collection and preservation process by arguing that data could have been altered on the device while the computer was not accounted for.

9. Not Using a Computer Forensics Expert

The client's IT department is not a computer forensics department. In fact, asking the IT staff to conduct even routine checks into a system's files can destroy potential evidence. The IT staff has programs available to create copies of data that may not be forensically sound and can complicate issues later. A professionally trained computer forensics expert should be retained for the handling of all sensitive data.

10. Copying Data Using "Cut and Paste" or "Drag and Drop" Methods

It is true that you can buy an $80 external USB hard drive and copy your data to it. However, this process does not preserve the unallocated space (where deleted files reside) and will change the file times and other data on the files that have been copied out. Additionally, there is no verification in this process to ensure that the data has been completely copied out and no errors have occurred. Preserving data with a USB drive will cause preservation issues down the road.

Computer forensics investigations are highly sensitive procedures. It is vital to everyone involved that special care be taken with each step during the recovery and preservation processes. Proper supervision, auditing logs, chain of custody reports, and professional expertise will help to ensure that no data is lost, destroyed, or altered due to improper treatment of resources.

About the Author

Jeremy Wunsch is the founder and CEO of LuciData Inc. in Minneapolis. He can be reached at 612-326-3456 or jwunsch@lucidatainc.com.