Computer Forensics: Where to Find Electronic Evidence

By Linda Volonino, Reynaldo Anzaldua

Part of Computer Forensics For Dummies Cheat Sheet

If you’re working in computer forensics, knowing where to look for electronic evidence is critical. A computer forensics investigator seeks evidence in all the electronics on the following list:

Computer: Digital memories don’t forget anything. A hard
drive is a goldmine for locating every file that was created,
saved, downloaded, sent, or deleted to it or from it, including
documents, e-mails, images, and financial records. You can find
file content intact, as well as a lot of details about when the
file was created, accessed, and edited, and you might even be able
to find prior versions. In short, a hard drive is the perfect time
machine.
Web site that was visited: Any digital device used to
access the Internet can be searched for a listing of where on the
Web a user has visited — and when. No one surfs
anonymously.
PDA: A handheld device records a person’s life like no
other device does. To find out the where, what, with whom, and how
much of a person’s life, check his PDA.
MySpace, Facebook, or another social network: Full
transcripts of private chats and postings in social networks are
gaining on e-mail as the primary source of e-evidence.
Note: These chatters chat a lot and don’t use
punctuation or an easily recognizable language.
Cellphone or smart phone: As on a PDA, the information
you can find on a user’s phone can be the e-evidence you need
— or it can lead you toward other e-evidence. You can find
detailed logs of incoming and outgoing messages and text messages;
transcripts of text messages; address books, calendars; and
more.
Chat room: Sadly, predators and other criminals hang out
in chat rooms all over the world.
E-mail: Everything, no matter how incriminating
or stupid, is sent and received by e-mail. In fact, nothing is
subjected to searches more than e-mail is. It serves as truth
serum, and, for exactly that reason, the notorious connection
between e-mail and jail is usually ignored.
Any device that has memory: Digital cameras, iPods,
flash drives, SIM cards — if it uses memory, it might have
evidence.
GPS device: Tracking technology has already been used in
high-profile court cases. To find a person’s whereabouts, check the
GPS device.
Network or Internet service provider (ISP): An ISP is a
fertile source of digital dirt and details. If bytes pass through
it, each network device records it.