Before the Bytes: Collecting Physical Computer Evidence

One important aspect of computer forensics is the processing of the computer and related accessories for latent prints. When you consider what you do at a computer, it can easily be limited to the keyboard and a “mouse.” The surfaces of these areas are in constant exposure to latent print residue by the sole user or any subsequent users and the successful recovery of a latent print, even that of last user, is going to be problematic. It can not be stated that it is impossible to recover a useable latent print, but it is considered highly doubtful.

However, there is one element in computer usage that may yield latent prints of value and that is the file storage media of a compact or floppy disc device. An individual involved in some sort of illegal activity may prefer to use these forms of storage for files, records and photographs rather than place the material on a hard drive. While the processing of the computer unit, monitor, keyboard, CPU, mouse, printer, etc., should be attempted, the removable discs may afford a better opportunity for the recovery of latent prints.

Two common types of storage media in current use are floppy disks and compact disc (CD), with the CD rapidly becoming the media of choice for its large file storage capability. There are special considerations to the latent processing techniques of the different types as universal techniques are not necessarily applicable to both. It is desirable to eventually present any evidence in the original form as it appears on the disc, but loss of information during a processing session may occur and the first action is to completely backup the information before any potentially damaging technique is employed.

The first assessment will be the standard visual examination for visible latent prints. The textured nature of many floppy disc devices interferes with visible prints except on the metal “gates” that protect the recording surface of a floppy diskette. The surface of CDs, while not meant to be touched, can yield excellent visible prints. We can then consider processing options once the visual inspection is completed. We start with the floppy disc.

If there is a paper label on the disc, you can consider any of the techniques associated with porous evidence that can be selectively applied. A ninhydrin solution can be applied to the label without any contamination to the interior areas of the disc, which should be avoided, through the use of cotton swab applicators. Once you have finished processing any porous areas, you can approach the non-porous surface of the disc casing material.

Although the excellent latent developing qualities of magnetic powder on textured surfaces may be tempting, it should not be applied if you want to keep the evidence in its original form. The magnetic field emitting from the applicator tip may completely eliminate all files. If the files have been backed up in another location and the disc integrity is not an issue, magnetic techniques may be used.

The next choice for this type of evidence would be cyanoacrylate (CA) fuming. This has not been found to be detrimental to disc contents. However, if you want to use chemical enhancers like Ardrox, the same procedures for ninhydrin must be followed. The solutions must be able to be selectively applied without invading the disc recording material. This will be more difficult than the processing of paper labels, but can be considered.

If a CD has a paper label on its non-recording side, the same processing given for floppy disk labels can be followed. The recording surface of the CD can be more susceptible to contamination than that of the floppy disc so extra precautions should be employed.

CD latent processing can use magnetic powder applications. The file recording technology is different than floppy disks and magnetic applicators will not destroy or alter the stored information.

CA can be employed with CD examinations. There is no evidence that the recording quality of files is affected by CA residue resulting from this processing method. However, if it is desired to remove such residue, a CA cleaner is available. This solution is non-flammable, contains no volatile organic compounds, has no harmful fumes and can be used on glass, metal and acrylic surfaces when used “full strength.” If the stock solution is diluted with water to a 50/50 mixture, briefly soaking the item and then gently cleaning the surface can accomplish post-processing cleaning of sensitive or special evidentiary items such as CDs. Tests conducted on CDs that had been heavily soiled with CA residue were able to remove the residue with no damage to the data integrity of the CD.