Computer Forensic Case Study: Espionage, Part 1 Just Finding the File is Not Enough!

摘要

How critical is it for the computer crime investigator to show the operating capabilities of a suspect's computer or to prove how a specific file or document was used? Consider the following scenario for a newly trained computer forensic analyst: Having recently been trained in computer forensics and practicing your file recovery techniques for co-workers, you begin an investigation for a client where you can use all those hard-learned skills. You make an image of the suspect's drive, look for the incriminating document, and eureka! You find it, recently deleted,but easy to recover. You undelete the file (maybe feel a little guilty because it was so easy), announce your success, and write up the results for your case file. It may be a child porn picture, or a document with industrial secrets, but when you appear in court later, you lose the case because you haven't proven that the suspect's system was even capable of viewing the picture or editing or printing the document.