Australian Police

Australian Police

The Thin Blue Line – Australian Police

Computer Forensics


With the ever increasing use of computers and the electronic medium, Computer Forensics will form and play a greater role in both civil and criminal litigation.

What is Computer Forensics.

‘Computer Forensics’ is the detailed examination of computers and their peripheral devices, using computer investigation and analysis techniques in the interests of determining potential legal evidence. The evidence required to be found will cover a wide range of subjects and will not be limited to criminal offences. The information required may relate to such things as theft of trade secrets, theft or destruction of intellectual property, fraud, and other civil cases involving wrongful dismissals, breaches of contracts and discrimination issues.

‘Computer Forensics’ will also be needed in criminal cases where evidence has been located and is to be produced at trial. The Law Enforcement agencies will produce, during the discovery process, imaged (exact copies) copies of the subject media. These copies will need to be examined by trained professionals to ensure that the media has been secured and examined in the correct manner and all evidence recovered. Evidence may be recovered that may help the defence, but has not been produced by the enforcement agency.

These examinations involve the examination of computer media, such as floppy disks, hard disk drives, backup tapes, CD-ROM’s and any other media used to store data. The forensic specialist uses specialised software, not normally available to the general public. The examination will discover data that resides in a computer system, or recover deleted/erased, encrypted or damaged file information and recover passwords, so that documents can be read. Any or all of this information found during the analysis may or can be used during both criminal and civil litigation.

The examinations follow strict rules of seizure and examination and must stand up to extensive examination in the court. If the procedures followed are found to be flawed, then the evidence will most likely be excluded from the proceedings.

The Role Computer Forensics Plays in Litigation.

Other than direct testimony by an eyewitness, documentary evidence is probably the most compelling form of evidence in criminal and civil trial. The paper trails have traditionally been a gold mine for investigators, especially where fraud is involved.

In past years, documentary evidence was limited to paper and where the best evidence rule applied, the original document was produced. However, with the fast moving information age, documents are rarely typed as before and are produced on word processors, using personal computers. Some of these documents are no longer printed and are e-mailed or faxed to the recipient directly from the computer.

Because of the change in the way information is distributed and or the way people communicate, the rules of evidence have had to change as well. Copies of computer files are now as good as the original electronic document. Because of this and the strict rules that are applied to forensic examinations, lawyers will need to call upon the expertise of the Computer Specialist on an ever-increasing basis.

As lawyers are becoming more aware of this very important part of evidence, they are asking the courts for orders, compelling the production of the original electronic document and all ambient data. This documentary evidence has broadened the horizon for legal discovery.

What the Computer Expert will find.

When electronic documentation is created bits and pieces of the documents are written or stored in temporary files, the Windows Swap file and in file slack space. When the documents are deleted or updated, remnants of the original file are left behind on the hard drive. Since multiple copies of the document, remain on the hard drive, these fragments are valuable sources of information for both the prosecution and the defence.

If an examination is conducted using the tried and proven procedures, all evidence will be located in a methodical and logical manner. This is why, over the years, strict rules have been established for the seizure and examination process. The courts in different countries have accepted these rules and procedures as they have been explained and proven to their satisfaction, in evidence given by the Computer Expert.

The Computer Expert should find all data contained on the medium. This information will include computer programs, graphics images and documentary evidence. An expert using specific software programs will recover deleted/erased files, be able to open files that have been protected using passwords and recover ambient data from file slack space and unallocated disk space.

All Computer Experts should have completed recognised training courses that have given them an internationally recognised qualification. They should also used recognised procedures and software in their examination of the suspect medium. The software should help find all documentary evidence required for the litigation.

Why use a Computer Forensic Expert.

Forensic Computer Experts are able to move quickly through the questioned media and identify area’s to look for evidence and also identify additional information sources of relevant evidence.

The Computer Expert should have been formally trained, with recognised training providers and have received a recognised international qualification. These training providers consist of organisations, such as IACIS (International Association of Computer Investigative Specialists), NTI (New Technologies Inc) and the NWCCC (National White Collar Crime Centre). These are not the only organisations providing recognised training, but are a selection of the more recognised providers. Most of these organisations provide training for Law Enforcement Officers only.

Computer Experts will not damage, destroy or compromise evidence during the investigative process. Because they have trained to find evidence in an effective and efficient manner, the cost of the examination will be considerably reduced.

The Computer Expert will preserve the chain of custody in accordance with the legal system rules and then produce the evidence in court in a professional and easy to understand format. They will also be able to explain in layman’s terms, the complicated processes of how a computer works and how the evidence was obtained.


With the ever-increasing use of computers over the last decade, the use of Computer Forensic Specialists will become more and more important. It is imperative that the legal and professional fraternities know and understand the ramifications of not using properly qualified experts.

These experts will point the professionals in the direction best suited for the matter in question or litigation process and will do so in a less time consuming manner than unqualified people.

But the most important aspect of all is that the Computer Expert will present the information in a manner that is recognised by the court system and will be able to explain the facts in an easy to understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *