Whats wrong with doing computer forensics in-house?
To begin with, to be court-defensible and unbiased, its usually a good idea to hire an impartial, third-party expert. This is especially important if the matter goes to court and expert testimony is required. Secondly, proper chain of custody of electronic evidence requires proper authentication of the hard drives and files, as well as provable unaltered data handling. Why? By simply turning on a Windows based computer, the operating system alters over two thousand files date/time stamps, thereby rendering the evidence suspect from tampering. It gets worse when you not only turn on the machine in question, but begin having a look around. Each time you open a file or folder, its meta data is altered, and the percieved authenticity of the data goes further down the drain. Our forensic investigations are rarely performed on the original subject computers. The forensically preferred method is to leave the computers powered down, carefully remove the hard drive, attach an appropriate write-
