|
Just turning a computer on (or off) can cause immense damage to evidence on the machine. Windows "touches" hundreds of files on a startup or shutdown. Even more files are affected when disk tools such as a defragmenter are used. If a computer contains critical information needed in an investigation we recommend:
If a computer contains critical information needed in an investigation we recommend:
1) If it's OFF do not turn the machine on. Seal the power connector on a desktop or seal a laptop closed. Use a paper seal that will indicate tampering. Lock the computer in a protected area.
2) If it's ON just pull the plug on the PC. Other considerations may be important if the machine is business-critical or if leaving it on the network would allow live diagnosis of an intrusion.
|
| | |  | | 
Often system administrators will suggest using Symantec's Ghost program to copy a critical hard disk. Don't do it!
Unless configured exactly, Ghost will write onto the drive being copied. This seriously corrupts evidence on the original hard drive. It can be a big setback in any criminal or civil proceeding.
When we testified in the murder trial of Robert Durall it was necessary to explain to the jury why 9000 files on a critical hard drive were altered by a well meaning technician using Ghost.
P.S. After our testimony the jury took only 2 hours to convict Durall. He will be out of prison in 2046.
| | | | |
