Related Topics

Digital Forensics Why Computer Forensics Guide Lines Techincal Issues
 Guidelines on Forensics

All discovered evidence has to be admissible in the court of law. That means it must be reliable and relevant. The original media (where the evidence derives) must be un-tampered and intact and protected all the time. Identical evidence should be produced by just repeating the same and accepted processes by other independent third-party investigators.

In fact, there is a variety of standard code of pratices or forensics procedures where one could follow. What ever the standards or rules, the main principles are more or less the same, all of which centre around the core idea of admissibility of evidence, namely:

1.Through-out the investigation process, original data on storage media should never be altered or damaged by any action and such proof may be required.

2. If it is necessary and relevant to access original data from a computer or storage meda, it must be done by qualified and trained forensic investigator who understands the implication of all the action and fully accoutable for his action.

3. An audit trail or complete records of all processes during the course of acquisition, investigation and examination should be made and kept for possible presentation. Document on chain of custody must be set up to detail throughout the process, who has the original evidence, when is the time of possession and what is done to it. Failure to do so may result in rejection of evidence by the court.

Computer forensic investigation can be broadly classified into preparation, acquisition, analysis, report and postmortem.


Before start of forensic exmination, all parties must be made known on steps to reduce minimum contamination to the evidence. For instance, instruction on not to power on a computer system if it is already down, network users to disconnect from the corporate servers and so forth. The examiner needs to access the situation and decide the kind of software or hardware tools needed to carry out the jobs, whether he should go for live or off-line acquisition. For live acquisition, the forensic investigator is normally given a limited time to perform the acquisition so he needs to come up with a strategy to get the most out of the time slot given. He may not have a chance to get back the second time if he finds something essential missing from the live capture.

Before proceeding with the actual work, it is better to formulate a plan by listing down concise instructions and proposed actions, allocation of roles and resources of all parties and careful analysis of law restrictions and areas of red or green zone before stepping into them.


Live or off-line Acquisition

To acquire the evidence, it can be done off line or live.

To do offline, the forensic examiner will duplicate a copy of the information from the digital device (normal hard disk drive) which is turned off. Commonly a write blocker (can be software- or hardware- based) is used in tandem with some software utility to make an exact bit for bit clone of the original storage media without altering any info on the original media. The examiner could then work on the cloned copy and the original data media would be kept and sealed.

At times, live acquisition may be necessary because turning off the power of the computer system may result in loss of work activities which translate to financial loss. In some situations, valuable evidence may also be lost as soon as the computer is shut down, in particularly those info in volatile RAM. For instance, if we need to discover passwords from disk encryption. Under such cases, the investigator would need to carry out a live acquisition by running some tools from a removable media (normally without installation to avoid further alteration to the system) to extract the necessary data. Obviously such method of acquistion is considered intrusive because the state of computer will be changed. The examiner has to justify that such action is deemed necessary or relevant and the captured data is not affected by such procedure. As a result, the examiner will need to keep detailed records of the processes at each stage carefully.

This is particular important in live acquistion as there will be a lot of un-controllable factors on site that may go different ways from planned action. Experienced investigator should always have alternative plan when the intended process could not be carried out on site. It is particularly important to identify and secure the relevant devices and documenting the scene. Talking to the right people such as the end users, the IT managers or engineers will frequently shed light on the correct actions to follow.

All acquired evidence must be properly labelled, bagged and sealed with reference to notes or records. Documentation on chain of custody must start as soon as the evidence is acquired or handed over to the examiner.


This will involve the detailed examination of data acquired in lab. Depending on situations, different tools can be used for such analysis and it is always good practice to work on duplicate copy of data whenever possible. It is important to stress that the tools must be tested and proven. The forensic investigator should be able to explain the results extracted from the tools from basic principles. It is not wise to trust all the evidence produced by the tools without active verification. A good practice will be to use alternative tools to re-confirm the results.

In order for the evidence to be permissible in court, it must be reliable, impartial, thorough, understadable and reproducible.

Forensics Report

At this stage, the examiner will produced a structured report on the findings. All relevant discovery or exhibits relevant to the investigation will need to be enclosed.

It is good idea to separate the report into an understandable summary findings and technical sections. The judge is not interested to read the technical jargon so summary findings will be great for them to make the legal decision. On the other hand, an independent investigator may want to know how you arrive at the result so the technical session will be more relevant to him.


A good forensic examiner at the end of the process should always look back to identify any shortcoming of processes, tools and even mistakes made during the investigation process. This will prepare the examiner more effectively into next investigation should similar situation occurs.