If you try to look at your disk without the proper tools, training or documentation, you will change timestamps on files and jeopardize a possible legal action.
Evidence can be found in files, metadata, slack space, hidden files, deleted files, file fragments,
web mail and swap files. Special tools are needed to find evidence in these areas.
A trained, independent party can provide an objective point of view. An in-house examiner may have divided loyalties.
Top mistakes people make:
- Starting up the computer - this can trample on evidence by changing timestamps
- Continuing to work on computer - this too can obliterate evidence
- Letting the IT department figure it out - They may not have the necessary tools, training, knowledge, or independence
- Not securing the computer - You need to restrict access to it