Computer is vital machine which has the evidence of the child where about and what the child have been doing with the computer. The investigator should be in a position to structure their search such that they have knowledge of what is being for in the computer. The information which is contained in the computer could have been deleted, encrypted, or damaged. The investigator should be in a position to uncover them so as to identify what kind of criminal danger the child was exposed to. They could be issues which relates to the phonographic, communication with a potential kidnapper, murderer, pedophiliac among others. It’s important for the investigator to retrieve all the information which has been used by the child prior to her disappearance.
There could be external influence as the driving force to her disappearance. The child must have had something in the computer which leads to be conclusive evidence to her disappearance and where she could be. The computer should not be tampered with but the files which have been closed should be retrieved from it so as to unearth the evidence. Appropriate software and tools should be used in the recovery process so as to get the evidence in the appropriate way in which they have not been damaged. All the files which have been uncovered should be analyzed critically so as to identify the evidence. The persistent data which is at the local hard drive are always stored even when the computer is switch off. These should be retrieved appropriately. There is also the volatile data which is stored in the memory or those which were still being processed or on transit which are likely to disappear when the computer is switched off. These should be found in the RAM, cache, and the registries (Vacca, 2005).
In this case, validation of the source of the files is important and the period in which those files have been stored there in the system. In this case as an investigator, there is need to have the client disclose her knowledge of the files in the system. There is need also to identify by discovering the details in the system and in her computer. The questions which should be asked include, when did you start using the computer? Whom have your shared the computer with? Who has ever sited at your work station or used your computer for any task? What time do you normally report to work? What time do you log in to your computer? What time in the day do you go for break? Do you always log off the computer? What time do you leave the workstation? Do you always switch off when leaving the office? Do you have a log in password to your computer? Who knows your password?
There should be now protections of the computer system in question so as to prevent the data it contains from any changes, destruction, corruption and the virus. There should be determination or finding out all the files the system has which covers all those which have been deleted, the existing ones, encrypted and those which have been confined by the password. There should be retrieval of all the files which have been deleted. The concealed files also should be exposed just like those which have been swapped within the programs used in the system of the company. There should be access to all the files which have been encrypted so as to find their source and the purpose of those files.
There should be in-depth analysis all appropriate data which have been collected especially those which had been hidden. The analysis of the computer should be put in a hard copy which indicates all the relevant data from the computer system which is being used and the files which have been ascertained. There should be provision of a view with respect to the structure of the data or files ascertained, and the system design. The authorship of the data and files discovered should also be presented. There should be provision of the relevant information to the data which have been discovered.
Vacca, J.R. (2005). Computer forensics: computer crime scene investigation. 2nd ed.
New York: Cengage Learning