What
is the first thing I should be doing if I suspect there to be evidence on a
computer?
The
first step in any case is to preserve the evidence at the earliest opportunity.
This means making a copy of the data to ensure that the best potential sources
of evidence are preserved to an evidentially high standard. International
standards dictate that, in order to achieve this, a process known as forensic
imaging must be conducted. This process ensures that every single
detail contained on a computer or storage device is preserved in a manner
that evidence can be subsequently extracted from it. The forensic image can
then be safely and securely stored leaving the original computer available
to be wiped and re-used.
