[Editor's note: The following article is excerpted with permission from chapter 22 of the third edition of The Process of Investigation: Concepts and Strategies for Investigators in the Private Sector, published by Butterworth-Heinemann, and authored by Charles Sennewald and John Tsukayama. The book is useful as a reference guide, though the clarity and readability of the book makes it a useful self-study text for any security director or corporate investigator looking to hone his or her skillset.]

The computer can be both the means of committing crimes as well as the “location” where crimes occurred (such as in a computer intrusion or denial of service attack). Accordingly, computers have become a new type of crime scene that requires as much care to process for evidence as the location of any high-profile homicide or bombing scene. In some ways, even more care must be taken than in traditional crime scenes because of the extremely fragile and ephemeral nature of digital evidence.

Additionally, computers are often the high-tech equivalent of a filing cabinet used by criminals to store information that to an investigator can turn into proof of numerous misdeeds including the distribution of child pornography, embezzlement, narcotics trafficking, money laundering, identity theft, sexual harassment, or the theft of trade secrets, to name a few. Such evidence can even be used to prove the selling of a nation’s secrets by its own senior counter-intelligence operatives, as was the case of the Central Intelligence Agency’s Aldridge Ames.

Specialized Techniques

The techniques for obtaining digital evidence commonly are not fully appreciated by either investigative or computer professionals. On the one hand, an investigator may believe that once a computer file has been deleted it is beyond retrieval. On the other hand, a computer analyst may pay little heed to the manner in which he resurrects that same file and in doing so can utterly destroy its usefulness as a piece of evidence in courts or quasi-judicial proceedings. As a result of the problems caused by this lack of understanding, very painstaking methods have been developed by the law enforcement community. Specialized forensic analysis software has been written to allow for both the culling of information from suspect computers and surviving legal challenges to the information’s reliability and authenticity.

Seizing Computer Evidence