What is the proper procedure for preserving computer evidence?
The proper procedure for preserving computer evidence involves taking a systematic approach to the task. Consider that preserving computer evidence is, comparatively speaking, a more modern process unique to our contemporary society and quite different from traditional forensics of past eras. A number of procedures are now in place for collecting and preserving computer evidence. The following are a few of them:
The first step is to close down the actual computer or computers that are a part of the investigation. The next step in the process is to implement a suitable chain of custody. Who will control what elements of the computer evidence retrieved. Those accountable for the investigation and in control of it from start to finish must know who has had access to the evidence all along the chain (what, when, and where).
Another step is to make backup copies of the information retrieved to safeguard against loss, theft, or destruction of this valuable information. Another step in the process involves evaluating erased files for evidence - as some programs on a computer do not entirely erase names of files or their content.
Another of many steps is to have documentation made that is quickly and easily retrievable concerning file dates, times, as well as names. Of course, on top of all of this, and the many other steps, is to ensure the security clearance of the individuals who will be performing the actual steps to retrieve the computer evidence needed to build a case against an individual, group, or organization.