Types of System Investigation

The range of computerised devices encountered during a normal day that may be potential sources of information and evidence and be considered for forensic investigation is vast. In the home, there is the personal computer and the hub or router that connects it to the outside world, probably a computer games console, a satellite TV box that may have internet and email capability, the alarm system and control systems for the washing machine and environmental controls, and increasingly other “white goods”. In the car, there is the engine management system and the satellite navigation system, which may include a wireless or Bluetooth communications facility. In the office there will be networked computer systems, access control systems and alarm systems.

For the individual user, there is the laptop computer and the handheld mobile communications device. The last may seem a strange choice of words to describe what, to date, has been referred to as the “mobile phone”, but that term now no longer really describes the devices we regularly carry around with us. Today’s device is more and more and mini computer. In addition to making calls it contains an address book and a diary, can download and play music, can browse the internet, send email, and act as an SMS capable device. This is device is best described as a “smartphone“.

The types of information that may contain evidence lie in one of three groups. Active, Archival and Latent Data. Active data is the information that can be seen on the device, such as data files, programs and the operating system files. This is the easiest type of data to collect. Archival data is data that has been backed up. This may be stored, for example, on DVD’s, CDs, floppies, backup tapes, and hard drives. Latent data is the sort of information that may require specialised tools to recover and includes information that has been deleted or may have been partially overwritten.