Dos and Donts of Forensic Computer Investigations

Opinion: When "something bad" happens, IT staffs can be called upon to search for possible evidence lurking on a user's desktop, notebook or even PDA. David Coursey says decisions made early in an investigation-or even before it be

Investigating the contents of someones system, files and e-mail is a serious thing, not to be taken lightly. IT professionals who are unprepared for the techniques and challenges of conducting a forensic computer investigation can easily ruin the suspects data and make a case impossible to prosecute. They might even find themselves subject of an investigation, followed by a lawsuit filed by the target of the original investigation.

Earlier this week I was talking with John Colbert, president and CEO of Guidance Software, a publisher of tools and provider of professional services used in computer investigations. Colbert is an ex-cop with long experience in computer-related crime who joined Guidance five years ago. Before recently becoming president and CEO, he ran the companys professional services group.

I learned a great deal from our conversation, and my hope is this series of two columns will keep IT staffers with no investigative experience out of trouble and perhaps inspire some to further study in this fascinating area of computer science.

Click here to learn about a key tool in fighting crime through better statistical analysis for the NYPD.

Colbert told me the story of a well-meaning IT worker who was hired to investigate a computer as part of a divorce action. Using "standard" techniques, while finding information relevant to the case, the investigator rendered the hard drive inadmissible as evidence and managed to destroy information that might have been deleted but was still recoverable, using proper tools. The IT guy ended up being sued by the person who hired him for bungling the case.

While this was a divorce case, it might as easily have been an internal corporate investigation that unexpectedly turned up something requiring the attention of law enforcement. There is always the possibility of discovering a criminal act whenever an investigation has begun.

If you dont know anything about how to do a proper forensic investigation of a computer system, I want to offer one strong word of advice: dont. As in dont even power the machine on or off without the advice of a qualified forensics person. The usual set of IT disk utilities are more than useless in an investigation—theyll actually destroy evidence and may make any evidence discovered inadmissible in court.

Fortunately, avoiding problems isnt terribly difficult once you are aware they exist. Even a few hours of forensics training can teach an IT staffer how to copy information without altering the original copy, a necessary step in any investigation.


For more insights from David Coursey, check out his Weblog.

Colbert and I talked about this for more than an hour. We covered so much ground that I realized my notes didnt really capture the information I wanted to present. So I asked him to create a set of bullet points that could help an IT staff stay out of trouble.

In response, Colbert sent me a document outlining seven guidelines and seven practices for IT staffs faced with the need for an investigation. In this column, Ill present the guidelines.

Next Page: Colberts seven forensic guidelines.