Computer Forensics Do’s and Don’ts

So you’ve had a computer incident that may cause you some legal headaches? A computer breach where some of your Intellectual Property may have been compromised or taken? Your first step should be to talk with your legal counsel and retain a computer forensic examiner; however, to help preserve your evidence in the mean time, there are some general guidelines to adhere to:

1. Time is very critical, since computer data can be altered and erased quickly.
2. Do not disturb the computer in question. If the computer is off, leave it off and unplug the power cord to prevent accidental boots. Even turning a computer on/off can change the evidence on the computer.
3. If the computer is on, leave it on – unless it’s running a destructive process.
4. If the computer is not on, secure the computer. Move the computer to a secured area with controlled access where no one has access to the computer. It is important to maintain a proper chain of custody.
5. Do not run any programs on a computer in question. Trying to open or view files on a Windows machine can alter or destroy evidence.
6. Do not make any changes to the computer or storage device. Do not insert any removable media into the computer or device, like floppy disks, camera media cards, thumb drives, card readers, etc.

* Note: These are general guidelines. All computer incidents will have specific issues which may alter the circumstances under which these steps are implemented to preserve evidence. We cannot be held responsible for any damage or liability resulting from following any of these general guidelines.