For example:

• Can you be sure that you haven’t changed any of the time and date stamps of the files contained on the storage media? 
• Can you be sure that you haven’t changed the contents of the data itself? 
• Have you maintained an audit trail of the steps that you have taken? 
• Do you know what operations the computer performs when you turn it on or off?

Special techniques and procedures have been developed in association with the Police and other law enforcement agencies to ensure that we are able to produce evidential images of computer material without compromising the evidential integrity of the data.

The techniques employed vary from system to system. However, it is essential to know the consequences of your actions before carrying them out.

Some of the problems that our customers have experienced in the past include:

• Time and date stamps relating to critical files changed when booting the machine 
• Information in the ‘free space’ of the disk overwritten during the boot up 
• During an investigation a virus was spread corrupting many files on the system, resulting in a claim for damages being brought against the investigator 
• A server-based system was unable to be brought back to life after being inappropriately turned off. This resulted in a law suit and a claim for consequential damages against the firm of investigators 

Whilst investigating a machine, a virus was found and then removed to prevent infection of the investigating software. The act of removing the virus changed many time and date stamps on the machine and, of course, changed the contents of the file containing the virus.