Computer Evidence Defined

Since the invention of the personal computer in 1981, new computer technologies have provided unintended benefits to criminals in the commission of both traditional crimes and computer crimes. Today, computers are used in every facet of life to create messages, compute profits, transfer funds, access bank accounts and to browse the Internet for good and bad purposes. Notebook computers provide computer users with the benefits of portability as well as remote access to computer networks. Computer users today have the benefits of super computer speeds and fast Internet communications on a worldwide basis. Computers have increased productivity in business but they also increase the likelihood of company policy abuses, government security breaches and criminal activity.

In the past, documentary evidence was primarily limited to paper documents. Copies were made with carbon paper or through the use of a photo copy machine. Most documents today are stored on computer hard disk drives, floppy diskettes, zip disks and other types of removable computer storage media. This is where potential computer evidence may reside and it is up to the computer forensics specialist to find it using sophisticated computer forensics tools and computer evidence processing methodologies. Paper documents no longer are considered the best evidence.

Computer evidence is quite unique when compared with other forms of 'documentary evidence.' Unlike paper documentation, computer evidence is fragile and a copy of a document stored in a computer file is identical to the original. The legal 'best evidence' rules change when it comes to the processing of computer evidence. Another unique aspect of computer evidence is the potential for unauthorized copies to be made of important computer files without leaving behind a trace that the copy was made. This situation creates problems concerning the investigation of the theft of trade secrets, e.g., client lists, research materials, computer-aided design files, formulas, and proprietary software.

Industrial espionage is alive and well in the cyber age and the computer forensics specialist relies upon computer evidence to prove the theft of trade secrets. Sometimes, the unauthorized copying of proprietary files can also be documented through the analysis of ambient computer data. The existence of this type of computer evidence is typically not known to the computer user and the element of surprise can provide the computer forensics investigator with the advantage in the interview of suspects in such cases. Because of the unique features associated with computer evidence, special knowledge is required by the computer forensics specialist and the lawyers who may be relying upon the computer evidence to support their position in civil or criminal litigation. All of these issues are covered in NTI's 5 Day Computer Forensics Training Course.

Computer evidence is relied upon more and more in criminal and civil litigation actions. It was computer evidence that helped identify the now infamous 'Blue Dress' in the Clinton impeachment hearings. Oliver North got into some of his trouble with the U. S. Congress when erased computer files were recovered as computer evidence. Computer evidence is also used to identify Internet account abuses. In the past, much wasted government and company staff time was attributed to the playing of the Windows Solitaire Game on company time. Thanks to the popularity of the Internet, Windows Solitaire has taken a back seat to unauthorized Internet browsing by employees of pornography web sites. Internet access by employees has also created new problems associated with employees operating side businesses through the unauthorized use of company and government Internet accounts. These types of problems are becoming more frequent as more businesses and government agencies provide employees with Internet accounts. Computer forensics tools and methodologies are used to identify and document computer evidence associated with these types of computer abuses and activities.

Computer evidence is unique in other ways as well. Most individuals think that computer evidence is limited to data stored just in computer files. Most of the relevant computer evidence is found in unusual locations that are usually unknown to the computer users. Computer evidence can exist in many forms. On Microsoft Windows and Windows NT-based computer systems, large quantities of evidence can be found in the Windows swap file. In Windows NT-based computer systems the files are called Page Files and the file is named PAGEFILE.SYS by the operating system.

Computer evidence can also be found in file slack and in unallocated file space. These unique forms of computer data fall into a category of data called ambient computer data. As much as 50% of the computer hard disk drive may contain such data types in the form of E-Mail fragments, word processing fragments, directory tree snapshots and potentially almost anything that has occurred in past work sessions on the subject computer. Ambient computer data can be a valuable source of computer evidence because of the potentially large volume of data involved and because of the transparent nature of its creation to the computer user.

Timelines of computer usage and file accesses can be valuable sources of computer evidence. The times and dates when files were created, last accessed and/or modified can make or break a case. NTI covers these issues in its 5 Day Computer Forensics Training Course. Students also leave our training course with a computer forensic tool that creates computer usage time lines.