The Three Rules of Computer Forensics

Image of hard drive subject to computer forensics examination

“The key to computer forensics is proper preservation done in a timely manner.

Digital devices shape every aspect of our lives and have become a gold mine of evidence in legal matters. The proper collection, examination, and preservation of data are critical as data may lose its admissibility as evidence in court if proper procedures of acquisition are not followed. The experts at Data Specialist Group, have compiled the three most important computer forensics rules to follow that will save your organization time and money.

Rule #1 Use a Certified External Computer Forensics Vendor

IT experts will increasingly be called upon in courts to validate the integrity of digital data. There are many companies today offering computer forensic services and their qualifications, or lack thereof, as digital experts may determine the outcome of your organization’s dispute. It is imperative that the individuals of the computer forensics team are trained and qualified, as electronic evidence is often critical in the outcome of disputes.

The computer forensic team must be able to work across the newest and older legacy systems. EnCase is a widely accepted computer forensic tool but must not be the end all- be all. Providers certified in the use of just this one product are not certified computer forensics analysts. Most legal matters require the use of UNIX, AS400, Macintosh, and other legacy systems for data acquisition. EnCase does not support these platforms. Qualifications across the newest and older legacy systems will allow the computer forensics team to act as expert witnesses in court on a client’s behalf.

Price is not an adequate metric of quality and service. The most expensive provider is not necessarily the best and the least expensive is not necessarily the worst. The important factor to consider is if the provider’s expertise allows them to act as expert witnesses in court.

Following the proper chain of custody and other accepted evidence techniques determines if data is admissible as evidence in court. Unless a organization’s internal IT staff is trained and qualified in the newest evidentiary techniques, any data collected will be just that—data. Not evidence. An organization puts itself at the risk of malpractice if it elects to use an internal IT staff for an investigation, as a conflict of interests arises. The use of a skilled and qualified computer forensics provider will deter all of these problems.

Rule #2 Collect a Sufficient Amount of Evidence Immediately

Delaying a computer forensics examination will significantly increase costs to a client and may damage their ability to win the litigation. The longer evidence has been allowed to degrade the more time-consuming and costly it will be for both the client and the computer forensics team. A common practice among attorneys is to delay expensive litigation support services until they are certain that these services will be needed. This practice reduces their client’s legal costs; however, due to the nature of electronic evidence, costs increase with time. The evidence that is needed degrades over time with computer use. This leads to information that may be unrecoverable or extremely difficult to recover.

A complete forensic examination may cost three to four times more than forensic acquisition. A forensic examination is a relatively complex and expensive process. Forensic acquisition, on the other hand, is not. It uses a process called imaging which creates an exact bit-by-bit copy of the data, which cannot be altered at a later time. A snapshot of the system at a specific point in time is created. If there is any chance that evidence will be needed, forensic acquisition should be done immediately.

Rule #3 Become Proactive with Electronic Evidence Preservation

Electronic data is very fragile. Each time a computer is used its metadata changes with it. Metadata is data that describes data, such as when a file was open, modified, or deleted. It is critically important to preserve all of the data and only process that which is needed. If one limits the scope of forensic acquisition, crucial data may be left out and will not be admissible in court.

All companies should be prepared to preserve electronic evidence. The duty to preserve electronic evidence begins when the future litigants have reasonable belief that there will be future litigation. Failure to preserve electronic evidence will be costly to a client. Many companies hire external counsel to advise them on the preservation of electronic evidence; however, they may not have the qualifications and skills necessary to preserve electronic evidence. An organization must leverage their computer forensics vendor to prepare clients to respond to an electronic preservation order in an efficient manner.


With the changing nature of standards for the admissibility of highly technical electronic evidence, computer forensics experts and qualified IT professionals will increasingly be called upon in the court of law. In order to save your organization time and money it is crucial to always: 1. Use a certified external computer forensics vendor, 2. Collect a sufficient amount of evidence immediately, and 3. Become proactive with electronic evidence preservation. By following these three rules, one can ensure the admissibility of their digital evidence in court.