IT forensics - Evidence preservation

Evidence Preservation

After securing the computer, a complete bit stream backup of all computer data (i.e. data image) needs to be made before it is reviewed or processed. Preservation of evidence is the primary element of all criminal investigations and computer evidence is certainly no exception. Evidence may reside at allocated files, file slack and erased files. A standard backup of a hard disk drive would eliminate the back up of file slack and erased file space. Without backing up evidence in these unique areas, the evidence is susceptible to damage and/or modification by the computer investigator. Bit stream backups (i.e. imaging) are much more thorough than standard backups as they involve the copying of every bit of data on a storage device.

When acquiring computer evidence, there may be only one chance to get it right. Our forensics experts are skillfully trained in using forensically sound techniques and equipments to image and acquire the fragile computer evidence. Tools utilised are recognised and accepted by most courts worldwide. When conducting a forensic investigation, special measures should be taken if it is desired for the results to be used in a court of law. One of our most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator and ultimately to the court. In order to comply with the need to maintain the integrity of digital evidence, we comply with the Association of Chief Police Officers (A.C.P.O.) guidelines.