There are three phases in recovering computer evidence: Acquisition, Analysis and Reporting. All three must be performed using the proper methodology or else any resulting court case may be thrown out.

Acquisition involves transferring the data from the storage medium (floppies, USB pen drives, hard-drives, etc) to the examining computer. Investigators must make sure that the original storage medium is not written to by the computer. Investigators must also verify that the data transferred matched the stored data.

After the data is on the examining computer, the investigator must analyze the contents for specific files, emails, or other clues. Here software can be used to recover deleted emails, unencrypt files and find keywords in documents. Given the large sizes of modern hard-drives, fast and easy-to-use tools are a must for data analysis.

When the evidence is ready to be given to legal professionals, a report must be made. A report simply documents all the evidence collected and gives reasons why it is relevant to the case.

Who Should Worry About Computer Evidence?

Businesses

Various state and federal laws may require that a company be able to do computer forensic investigations. The Sarbanes-Oxley Act of 2002, which grew out of the Enron and Andersen Consulting scandals, mandate that corporations have more stringent internal audit capability which would include computer forensic investigations. Failure can result in fines of up to five million dollars or up to 20 years in prison.

Businesses often have old computers lying around with tons of confidential information. Overworked and largely ignorant IT staff may throw these computers away or give them to friends. This can lead to disaster, as important documents can be recovered from these computers. John Colbert, Senior Executive Vice President of Guidance Software suggests that businesses keep the hard-drive of any computer they give away.

Leased computers are becoming more popular in the business world. Similar to leasing cars, a business pays a monthly amount to use a computer and at the end of two years gives the computer back. The bad thing is that most of the lease agreements state that you CANNOT keep the hard-drive.