Home page
Emergency Help
Evolution of Forensic Computing
Investigation Services
Laboratory Services
Computer Fraud/Abuse
Computer Security Review
Email Investigation
Expert Witness
Computer Crime Prevention
Forensic Techniques Used
Scope and Expertise
Risks and Pitfalls
Case Studies
Systems
Computer Electronic Disclosure
Training
Literature Request
Investigation Services
Laboratory Services
Computer Forensic Systems
Related pages
Forensic Techniques Used
Investigation Procedures
Securing the Computer Evidence
Scope and Expertise
Good Practice Guidelines

Securing the Computer Evidence

Securing the Computer Evidence, is the process by which all information held on a computer is retrieved in order to aid an investigation. The term ‘computer’ in this context includes all computer media (for example: floppy diskettes, tapes, CD-ROMs, DVDs, and removable hard drives. Vogon can examine any computer regardless of operating system

Examining a computer to discover exactly what data is stored on it, is a time consuming and painstaking process. It is important that the examination can be proved to have been performed thoroughly and in accordance with accepted ‘best practice’ procedures. Failure to do so could render any evidence of computer fraud or abuse unusable in subsequent proceedings.

The first principle of computer examination is to ensure that the original (also referred to as the ‘target’) computer is not altered by any of the examination processes. Additionally, it is necessary to treat target computers with great caution. They could contain viruses or logic bombs (booby traps) which alter the data contained on the hard disk.

Accessing the data on a computer
Vogon’s investigators ensure that the target computer is not altered in any way by booting (starting up) the computer safely, using proven methods. This ensures that if there are any viruses or logic bombs on the target computer, they will not be activated when the computer is turned on.

Types of data on a computer
Vogon’s highly sophisticated tools allow the investigators to thoroughly investigate all the data held on the target computer. In addition to the normal files on the computer we can find the following different types of data:

Deleted files These are files which the user has deleted. In many cases our investigators can recover these files
Password protected files In a great many cases it is possible to remove the password from these files and thus gain access to their content
Hidden files These are files which are not usually visible using standard DOS and Windows programs
Data in free space Free space is hard disk space which is not currently in use. Data in free space may contain deleted or overwritten files
Data in slack space Slack space is the space within the last cluster allocated to a file which may not be wholly occupied by the file
 

Extra information to be found on a computer
In addition to the different file types to be found, Vogon’s investigators can discover the dates and times that the target computer records when a file is created, modified, read and deleted. In many instances, computer examinations can also determine the author of a particular document or file or which user created a specific directory.

How Vogon can help
Vogon offers both laboratory and on-site services to secure computer evidence. Additional information about the securing of computer evidence is available as follows: The range of expertise offered by Vogon, techniques used to secure computer evidence, and the risks and pitfalls that must be avoided.

For immediate assistance please visit our emergency page for a list of contact phone numbers and enquiry form. To discuss your future Computer Forensic or Computer Security requirements with one our experienced investigators please contact us by letter, phone or email.

 

Copyright Vogon International Limited. All rights reserved. Home Page | Investigation Services | Laboratory Services | Forensic Systems
Back to top