If this is becomes a criminal matter, be sure to document every action you take, including deleting anything. not doing so will defiantly contaminate the evidence. I have worked in a computer forensics lab as an intern and if you honestly thing there is any chance of foul play, I would not touch any of it, at least until the investigators have said they won't do anything. Failing that hash, image, and rehash the hard drive. I suggest using SMART Linux of Helix, both of these have been certified to be used in forensic capacity by at least certain agencies. the most important thing is to not contaminate any of the evidence. Image the hard drive to an external device, then do all searching off of that device. Be sure to hash using MD5 or SHA, and be sure to do so before and after touching anything. DOCUMENT EVERYTHING YOU DO, PERIOD. Also take pictures of anything you do the the hardware. I can tell you right now, if it comes down to it, a defense lawyer will tear up any digital evidence presented that could possibly be contaminated. So document everything you do, and do the utmost to protect the integrity of the drive.
Don't be an idiot and take any curtsies and delete any porn files, what will the deceased care, he is dead after all. this will just contaminate the evidence, investigators regularly come across this stuff, unless it depicts illegal acts, they don't care, but they will notice deletion of files which is suspicious and is contamination of the evidence.
Sorry for anoymous post, first time posting here.
Slashdot Mirror
of course for the sake of contamination, remember to image the drive first, that way if you screw it up, your just messing up a copy :)
If this is becomes a criminal matter, be sure to document every action you take, including deleting anything. not doing so will defiantly contaminate the evidence. I have worked in a computer forensics lab as an intern and if you honestly thing there is any chance of foul play, I would not touch any of it, at least until the investigators have said they won't do anything. Failing that hash, image, and rehash the hard drive. I suggest using SMART Linux of Helix, both of these have been certified to be used in forensic capacity by at least certain agencies. the most important thing is to not contaminate any of the evidence. Image the hard drive to an external device, then do all searching off of that device. Be sure to hash using MD5 or SHA, and be sure to do so before and after touching anything. DOCUMENT EVERYTHING YOU DO, PERIOD. Also take pictures of anything you do the the hardware. I can tell you right now, if it comes down to it, a defense lawyer will tear up any digital evidence presented that could possibly be contaminated. So document everything you do, and do the utmost to protect the integrity of the drive. Don't be an idiot and take any curtsies and delete any porn files, what will the deceased care, he is dead after all. this will just contaminate the evidence, investigators regularly come across this stuff, unless it depicts illegal acts, they don't care, but they will notice deletion of files which is suspicious and is contamination of the evidence. Sorry for anoymous post, first time posting here.