Computer evidence is data that is harvested from a computer hard drive and utilized in the process of a crime investigation. Because it is relatively easy to corrupt data stored on a hard drive, forensics experts go to great lengths to secure and protect computers that are seized as part of the investigative process. Extracting the data must take place under highly controlled circumstances, and must be accomplished by law enforcement professionals that are specifically trained in the process.
It is not unusual for computers to be collected whenever they are found at a crime scene. For example, when an individual is found murdered in his or her home, there is a good chance that any laptop or desktop computers found at the scene will be confiscated. In like manner, if an individual is arrested on suspicion of some type of fraud or embezzlement, his or her personal and work computers are likely to be collected for analysis by experts.
The process of looking for computer evidence begins with a thorough review of all files found on the hard drive. In order to accomplish this, the hard drive is carefully screened for any hidden or secured files that may not be readily apparent. Because hard drives save copies of files that are deleted from public directories, experts involved in the forensic investigation will seek to locate and extract files that were deleted. This is important, since there is a chance they would include data that could confirm guilt, or possibly provide proof that the individual arrested was not involved in the commission of the crime.
Many different types of files may yield computer evidence that can aid in solving a crime. Visual images, emails, spreadsheets, and other common types of files can be encrypted and hidden in various caches on the hard drive. Experts know how to find these hidden caches, access them, and view the contents of those caches. Many operating systems automatically perform this function even when files are deleted, creating copies that are placed in the hidden caches. This means that even if the criminal has taken steps to wipe incriminating evidence from the hard drive, there is a good chance one or more of these hidden caches are overlooked and can be extracted by law enforcement.
Collecting computer evidence is a highly skilled task that is usually conducted in specific steps. Once the computer is confiscated, it is transported to a secure site. Only a limited number of authorized individuals have access to the system while it is being mined for possible evidence. Because the mining and extraction is conducted under such stringent conditions, it is virtually impossible for the hard drive to be tampered with. This makes it possible for any evidence collected to be useful in the ongoing investigation.
The use of computer evidence in court has gained more acceptance in recent years. Concerns about tampering or damage to the evidence in years past sometimes led to restrictions on how much evidence collected from computers could bear on a given case. However, as law enforcement has enhanced its methods for preserving and protecting hard drives from possible contamination, more legal systems around the world are viewing computer evidence as fully admissible in a court of law.