Top forensic tips

It’s not uncommon for us to conduct a forensic investigation to discover that the requesting organisation have inadvertently destroyed or altered the evidence which they were hoping to rely on. Well intentioned actions by staff inexperienced in handling evidence can result in a situation where there is very little relevant data left to analyse. While each case is unique, we’ve produced the lists below advising on general best practice which, if followed, will help us to help you.

Top 10
IT forensic dos

1. Secure the device so that no unauthorised person has access to it

2. If the device is off, leave it off

3. If the device is on, leave it on

4. If the device is on, unplug any network cable and turn off Wi-Fi and/or Bluetooth connections

5. If this is not possible pull the plug (shut down if a server) or remove the battery

6. Do not inform anyone other than necessary that an investigation is underway

7. Makes notes; of people involved, allegations, evidence, dates and times, etc.

8. Gather any item which you have legal access to that may contain evidence; e.g., USB drives, CDs, paperwork, laptops, cameras, etc.

9. If possible, do not tell the subject that they are under investigation

10. Seek advice of a computer forensic company on further steps on analysing the data

Top 10
IT forensic don’ts

1. Don’t be tempted to ‘have a look’ and operate the device at all

2. Don’t use your IT department unless they are familiar with electronic evidence handling

3. Don’t use your IT department unless they are familiar with legal admissibility standards

4. Don’t delay; the sooner you respond the better the chance of preserving evidence

5. Don’t arouse suspicion; don’t tell anyone about the investigation unless necessary

6. Don’t ignore your HR department in this process; they can advise on legal matters

7. Don’t guess about best actions; if in doubt call a computer forensic company

8. Don’t hesitate in contacting the police if you think a crime may have been committed

9. Don’t be tempted to destroy any data; this can usually be traced and has serious legal consequences

10. Do not run anything on the computer or do anything which may modify it in any way

The above lists are generic advice and may not necessarily be appropriate in your situation. For tailored advice call 020 7193 3324