What does a computer forensic analyst do?
The first rule of computer forensic evidence analysis is “don’t alter the evidence in any way.” The simple act of turning on a computer can alter or destroy any evidence that might be there. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner. The examiner will document all work, write-protect all media, make copies of media (often referred to as a mirror image), perform an examination and analysis on the copies, and prepare a written report. Extra copies of the mirror images are often prepared for other investigators, attorneys or the opposing side. You may get the copies on CD-ROMs, tapes, or some other media. Even these copies will need to be analyzed by an experienced professional.
Forensically sterile conditions are established. All media utilized during the examination process is freshly prepared, completely wiped of non-essential data, scanned for viruses and verified before use. The original computer is physically examined. A specific description of the hardware is made and noted. Comments are made indicating anything unusual found during the physical examination of the computer. Hardware/software or other precautions are taken during any copying or access to the original media to prevent the transference of viruses, destructive programs, or other inadvertent writes to/from the original media. We recognize that because of hardware and operating system limitations and other circumstances, this may not always be possible. The internal clock is checked and the correctness of the date and time is noted. The time and date of the internal clock is frequently very important in establishing file creation or modification dates and times. The original media is not norm
The first rule of computer forensic evidence analysis is “don’t alter the evidence in any way.” The simple act of turning on a computer can alter or destroy any evidence that might be there. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner. The examiner will document all work, write-protect all media, make copies of media (often referred to as a mirror image), perform an examination and analysis on the copies, and prepare a written report. Extra copies of the mirror images are often prepared for other investigators, attorneys or the opposing side. You may get the copies on CDs, tapes or some other media. Even these copies will need to be analyzed by an experienced professional.
The first rule of computer forensic evidence analysis is to never alter the evidence in any way. The simple act of turning on a computer can alter or destroy any evidence that might be there. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner. The examiner will document all work, write-protect all media, make copies of media (often referred to as a mirror image), perform an examination and analysis on the copies, and prepare a written report. Extra copies of the mirror images are often prepared for other investigators, attorneys or the opposing side. You may get the copies on CD-ROMs, tapes or some other media. Even these copies will need to be analyzed by an experienced professional.
