can run and evaluate the software retrieved from the seized computer.
Flexibility is the name of the game when you create a computer system that will process computer evidence. You must prepare to deal with the seizure of a variety of computer systems and equipment configurations. As a result, it is wise to equip your processing computer with multiple floppy disk drives, a color SVGA monitor and plenty of external storage capacity to supplement the onboard hard disk drives. Opinions may vary, but I recommend the following hardware configuration as a minimum system for use in computer evidence processing:
* Pentium 133MHz or equivalent
tower desktop computer
* SVGA 14-inch color monitor
* Two 5GB hard-disk drives
* One Iomega Zip disk drive
* One SyQuest SyJet (or Iomega
Jazz) disk drive
* One 5.25-inch, 1.2MB floppy disk drive
* One 3.5-inch, 1.44MB floppy disk drive
* One CD-ROM (8x recommended)
* One Uninterruptible Power Supply (UPS)
* One laser printer (6 pages per
The recommended system should meet the computer-evidence needs of most small- to medium-size law enforcement agencies. As stated, this is the minimum system configuration and it should be supplemented with an adequate supply of floppy disks and storage cartridges, e.g. Zip disks. Further, I strongly recommend the use of a second law enforcement notebook computer for documentation purposes. When the processing computer is used to document findings, there is a potential for parts of the text in the reports to "cross pollinate" the backup copies of the evidence. The potential of a memory dump into file slack is the culprit. By using a separate computer to document findings, this potential problem is eliminated. Inexpensive notebook computers can be purchased for under $1,000 and may come in handy for other tasks in the department as well.
The Forensic Computer Setup
Computer evidence processing can't begin without forensic software tools. The recommended tool kit should include the following:
* MS DOS 6.22 (DOS 7.0 is not recommended) Disk Mgt. Software to take full advantage of large hard disks under DOS Norton Disk Edit
* A bit stream backup utility (SafeBack
by Sydex is recommended)
* A virus scanning utility
* A DOS shell utility with file view
* Password recovery utilities (Access
Data's utilities are recommended)
* A text search utility
* Other specialized disk utilities
Please be aware that the capacity of hard-disk drives increase continually. Normally, forensic processing is performed under DOS rather than Windows, to avoid overwriting potential evidence in the form of erased files. However, DOS will not access huge hard-disk drives without disk management software. For this purpose, OnTrack Data Recovery offers a disk utility that is inexpensive and can be purchased via their Internet Web site at
The purchase of computer components and forensic software is a step in the right direction for most law enforcement agencies who desire to begin dealing with computer evidence issues.
Michael R. Anderson, who retired from the IRS's Criminal Investigation Division in 1996, is internationally recognized in the fields of forensic computer science and artificial intelligence. Anderson pioneered the development of federal and international training courses that have evolved into the standards used by law enforcement agencies worldwide in the processing of computer evidence.
He also authored software applications used by law enforcement agencies in 16 countries to process evidence and to aid in the prevention of computer theft. He continues to provide software free of charge to law enforcement and the military. He is currently a consultant. P.O. Box 929 Gresham, OR 97030. E-mail