Home > Evidence Tracking

The main function of any computer forensics professional is to track the evidence that can be legally produced before a court of law. Evidence tracking can be based on examining and observing the physical locations as well as based on thorough examination of data or information. On the field experience is always different than the theoretical procedures. Any how more of less the procedures that are required or that can be followed depends upon the situation that is encountered.

The evidence tracking mechanisms usually start with the observations of the physical locations of the crime scene investigation. Where the computer system is located and the how the computer system can be accessed. The physical location in discussion is the address where the crime has been committed. Also physical location may also be used in discussion where it relates to physical memory location.

The first step is to carefully observe and examine the location nearby the computer system. The keyboard, mouse etc or any other peripherals can be subjected to DNA finger printing. More over the hard disk drive as the secondary memory device and the operating system files are studied in detail.

The information like whether it is a single system or a networked PC should also matters. Those places where the evidence can be easily collected should also be examined. Some of places that need the attention of the computer forensics team include the following. The first among them is the computer system itself. The next in the line is the phone set.

The networks connections and the number of systems that are connected to them also matters in the investigations. Even the sources that are external should also be examined in great detail. The server if any present in the network and relation with the victim computer system should be studied and analyzed. It is required for the computer forensics expert to visualize himself in the foot steps of a criminal who might have committed the crime. For time sake it is needed for the forensics expert to commit the crime. The components like the fax machines, modems, and all other peripherals that may have some link with the computer should be analyzed.

Next the main part of the analysis starts with the study of the internals of the computer system mainly the software like the operating system and the log files associated with them. There exist many files that are used by the operating system that can provide vital evidence for the forensics expert. If such files are deleted then the deleted data recovery process should be initiated for the recovery of such files. Efforts should be made to analyze and collect the evidence from the undeleted files. Some of the examples of the files that can be effectively used as evidence include the following.

The major evidence can be collected from the log files that are generated each time an event occurs due to the action from the user. These files may some time store encrypted information that should be decrypted. Next in line are the temp files (temporary), and the cookies. Also the importance of the slack space files and the swap files is not ruled out. The cache can also prove as important evidence. Usually some sorts of tool kits are used for the purpose of analysis of evidence.

Data Recovery Software - RAID Recovery

More Information
General Information
Hardware
Privacy
Network Forensic Tool
File System
Data Security
Data Analysis
Data Encryption
Data Remanance
Defense Establishment
Networking
Internet Forensic
Data Security
Crime Investigation
Services
Incident Response Systems
Physical Damage
Cyber Crime
Privacy
Impact
Log File Recovery
Advance Partition Recovery
Intrusion Detection System
Data Encryption
Ethics

Related Information
Data Recovery Tools
SCSI RAID
DLT Tape Drives
Business Performance
Software Industry