There is an article on page 122 of this weeks UK PC User (26 July - 22 August) by the head of the technical support unit for Essex Police. Here's a few choice cuts from the article: ... Now, what we do is go out on raids, or at least instruct officers on how to seize computers and bring them back to the computer evidence lab. The first thing we do with a computer is to make an exact copy of the hard disk and any floppies that come with it. It is essential that we have an exact image, rather than just a file copy, so we get everything, like the remaining bits of deleted files. We can interrogate the free space and slack space where there could be important evidence. To do this we've developed our own imaging system. This is basically a bit copier: it just copies every single bit of a hard disk onto either an optical drive or a hard drive, and saves it as a long file. We reconstruct the disk on our own computer, a Vale machine with a 90Mhz Pentium processor, and then we can perform the investigation. ... What we look for depends on the case: if it's a fraudster's machine, we'll be looking for sets of accounts, if we're dealing with a paedophile, we're looking at graphic images. We basically start by looking for erased material, which is always the most interesting, and the slack space. ... One of our biggest problems is getting around passwords and encryption. Not the base passwords -- they're easy to get around -- but the passwords on the applications themselves, and encryption can be very difficult to crack. We do have special programs to get around them, but you need individual ones for each application. The programs can crack most Microsoft applications in minutes, but some, Paradox for example, are a lot harder. The biggest headaches are the pocket organisers from Psion or Sharp. On a PC you have password protection, but you can always get in through the motherboard, but with a Psion you can't get in without the manufacturer's assistance. Interviewer: Ken Luxford Interviewee: Andrew Johnson