Ohio Forensic Guide

Computer forensics examiners analyze digital evidence that can be used in investigations.  They may respond to crime scenes, take photographs, record evidence, and take into custody physical evidence such as computers, keyboards, cables, and other equipment.  This includes the securing of USB flash drives, disc drives, and other data storage devices.

In a criminal investigation, when computer forensics teams arrive to a crime scene, they first capture any volatile data in RAM that would be lost when a computer is turned off.  The captured data is moved to a secure location for preservation.  Captured data may include images, open documents, network configurations, current network connections, contents of RAM, and logon sessions.  Computer forensics examiners may also focus on gathering the evidence from the hard drive.  They can obtain a mirror image back up, which is an evidence-grade backup that meets legal evidence standards. 

When a computer forensics team is at a crime scene, it must also start and maintain a strict chain of custody of all digital evidence recovered.  Computer forensics professionals must document all serial numbers of the items involved, who handled the evidence and any related information for it to be admissible in court.  The chain of custody must also document that no unauthorized person was allowed access to the evidence.

Once the information the examiners gather the information obtained at a secure location, they examine the evidence and write a report on the findings.  The evidence and report may be used in a court of law to prosecute a criminal case.  Computer forensics experts may also provide written, video, or live testimony of their investigation and findings for court proceedings.