AS COMPUTER users get more and more adept at disguising their identity, deleting and over-writing their data and destroying the hardware, so the job of the forensic computer examiner gets ever more challenging.
The most important ground rule is to preserve the evidence as soon as possible. If computers continue to be used, deleted data is over-written and important secondary sources such as printer spoolers, cache and internet histories become corrupted with fresh data.
That does not always mean that the examination is jeopardised, but it does inevitably lead to extra difficulties and higher costs.