Windows Forensics: The Field Guide for Corporate Computer Investigations

The most important aspect in the entire field of computer forensics is documentation. In addition to documenting one's own activities, the entire scene must be documented before processing of the scene can take place. All scene documentation is best done with a team of two individuals: one individual to perform any processing of the scene and a second individual solely responsible for documenting the evidence found. The documentation can be in a general computer forensics logbook, or in the case of larger investigations, a logbook dedicated to that specific investigation.

In addition to cataloging to provide a written record of all potential items of evidence, the scene itself should be photographed prior to any actions. If a forensic photographer is available, allow her to photograph the entire scene. If one is not available, the analyst may need to use a time-stamped camera, either digital or film. Start with a few shots of the entire scene for overall layout. Follow with close-ups of each piece of evidence. Note cards bent in half make nice, inexpensive labels for purposes of photographing evidence locations.

Even if a professional forensic photographer is available, the analyst might have to assist her in identifying what to photograph from a digital perspective. Items that require special attention in a computer investigation include:

• Computer screens. Photograph the current screen with a still camera with a high enough resolution to read text if necessary.

• Network connections. Any network or phone cables going to or from the computer should have close-up shots taken of them. Both ends of every cable should be photographed in the event that the analyst has to prove that a computer was connected to a specific network or phone line when he arrived.

• Peripheral connections. Connections to peripherals should likewise be shot in close-up for later reassembly and proof of connection.

When in doubt, take additional pictures. It is impossible to go back and do so later. After all, even the location of the mouse can prove significant; it may help to show that a left-handed person was the last user .