I am a first responder, so I will make sure that no evidence should be tampered or damaged. I will consider all functional or non-functional computers as evidence and capture photographs or images of all display screens. I will disconnect computers from the network to protect the tampering or removal of evidence.
There are some obstacles involved in the computer forensics; there is a chance that the evidence was deleted from systems or devices. Files are often password protected, and it requires a great effort to decode a file that involves strong cryptography.
Digital evidence are sensitive and fragile and can be altered or damaged by the mishandling of systems and data. A mishandling can also cause the overwriting of data and can affect the authenticity of evidence.
There are some risks involved with a startup or shutdown process of computers. There is a possibility that a criminal configured self-destruct software that will damage the evidence during startup or shutdown. The damage can eventually cause the corruption or loss of data.
If the system is in on state, it is better to perform disk imaging on the scene. If the system is in off state, then the disk imaging should perform in a forensic lab. Encase has a simple Graphical User Interface (GUI), and it is a preferable software to perform disk imaging (Shinder & Tittel, 2002).
Evidence can also be present on digital devices like mobile phones and PDA’s. I will make sure that they remain a charge and will not run out their batteries. I save the data with the help of memory cards or forensic tools.
The world understands the importance of computer forensics, and there is news that the Irish police is planning to collaborate with other foreign partners to deal with emerging threats of cyber crime with the latest forensic and cyber tools.
Reference
Shinder, D., & Tittel, E. (2002). Scene of the Cybercrime: Computer Forensics Handbook. (E. Tittel, Ed.) New York: Syngress.
