August 31, 1997 By Michael R. Anderson
Computers have also changed the world's view of evidence, because computers are used more and more as tools in the commission of "traditional" crimes. Embezzlements, theft, extortion and even murders are now committed with the aid of personal computers. This new technology twist in crime patterns has brought computer evidence to the forefront in law enforcement circles. Computer evidence concerns are not limited to computer crime specialists in the Federal Bureau of Investigation or United States Secret Service. Every law enforcement agency now has the potential of encountering computer evidence, and many are actively seeking training and information on the topic.
This article is intended to provide guidance and an awareness to law enforcement agencies that are just now beginning to explore the issues surrounding computer evidence. The article is not intended as a substitute for training. There is more than one way to skin a cat and this information is certainly not intended to be the only true way. However, the information should help law enforcement agencies get started in the right direction. It should also act as a refresher for those agencies that have experience in processing computer evidence.
Assume That Every Computer Has
Been Rigged To Destroy Evidence
Computer evidence, by its nature, is extremely fragile and is easily modified. This situation is complicated by the fact that potential evidence exists in places of which many law enforcement officers are unaware. To make matters worse, computers can easily be rigged by the crooks to destroy evidence. Some refer to personal computers as a law enforcement nightmare and a crook's dream. Because of its fragile nature, the first and most important step in dealing with computer evidence involves the preservation of the "electronic crime scene." No law enforcement professional would allow evidence to be disturbed or destroyed at a traditional crime scene. The same is true of computer evidence. However, because the nature of the evidence is different, the rules change a bit.
When it comes to computer evidence, paranoia is a good personality trait to have. Don't operate a suspect computer until a complete backup has been made of all storage devices. Normal computer backups won't do -- a full bit stream backup is necessary. In the bizarre world of computer evidence, you always must assume that things will go wrong. Once computer evidence has been destroyed or altered, it is unlikely that it can ever be reconstructed. What can go wrong surely will go wrong. Complete backups eliminate most of the potential problems.
Law enforcement officials normally seize computers during the execution of a search warrant. Depending on the circumstances and scope of the search warrant involved, all computer hardware, software and manuals should be taken for evaluation as potential evidence. Some prosecutors may view this as overly broad. However, the ability to process and examine the evidence may be directly tied to special hardware, software and/or written instructions contained in manuals. Because computer technology changes so quickly, it may be impossible to obtain similar or outdated hardware or instruction manuals from other sources. Printers, tape drives, optical drives, hardware and software manuals should not be left behind. Also, pay particular attention to possible passwords that may have been written down near the computer. Encrypted files can cause you serious grief, and finding a password scrawled on a desk or on a calendar can help make your case.
More and more, corporations and government agencies are
You may use or reference this story with attribution and a link to