A computer can be the target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository storing valuable information about the crime. In some cases, the computer can have multiple roles. It can be the “smoking gun” serving as the instrument of the crime. It can also serve as a file cabinet storing critical evidence. So when investigating a case, it is important to know what roles the computer played in the crime and then tailor the investigative process to that particular role.
In most cases, the computer forensics specialist will take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject computer system:
1. Protect the subject computer system during the forensic examination from any possible alteration, damage, data corruption, or virus introduction.
2. Discover all files on the subject system.This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.
3. Recover all (or as much as possible) of discovered deleted files.
4. Reveal (to the extent possible) the contentsof hidden files as well as temporary or swap files used by both the application programs and the operating system.
5. Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.
6. Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called unallocated space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as slack space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data but once again may be a possible site for previously created and relevant evidence).
7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provide an opinion of the system layout; the file structures discovered; any discovered data and authorship information; any attempts to hide, delete, protect, or encrypt information; and anything else that has been discovered and appears to be relevant to the overall computer system examination.
8. Provide expert consultation and/or testimony as required.