The Treatment of PCs

Up to this point, we have concentrated on the technical issues: on how computers work and their construction; on how information is stored; and, in particular, on how and where information can be hidden or inadvertently left on hard disk drives. This technical understanding gives us both the knowledge and the confidence that will enable us to find information of evidential value from a PC. However, unless we carry out the investigative processes in ways which guarantee the integrity of that evidence, it is unlikely to be admissible in court. We thus now need to concern ourselves with perhaps the most important part of all: the processes that we need to carry out and the practices that we need to observe in order to extract information from PCs and present it as admissible evidence in court. In this chapter we are going to consider the treatment of PCs and will be looking at the topics listed below: A guide to good practice The principles of computer-based evidence Search and seizure Intelligence, preparation and briefing At the search scene The operating dilemma Shutdown, seizure and transportation Computer examinations Physical disks and logical drives Interpreting partition tables Imaging and copying