This week, Neil Barrett, technical director at security specialist Information Risk Management, looks at how easy it is to ruin potentially useful information on computer crimes.

Lots of crimes involve the use of computers, one way or another. They might be used to communicate with co-conspirators; they might be used to hold paedophilic images; and they might be used by hackers, fraudsters, stalkers and even murderers.

A sizeable number of crimes now involve computers either as tools or as 'victims'. And, of course, any computer activity leaves a trace, whether in a log file, as a deleted email, or as a 'last-access-time' stamp on a file.

Computers are impossible to use without making some telltale alteration to the file system.

Computers involved in crime must therefore be seething with evidence, right? Unfortunately, Wrong! The machines contain data and lots of it, but that information, in and of itself, is not evidence.

To become evidence, the data has to be treated in a particular way. It has to be frozen and preserved so that there is no possibility of it being altered, and it has to be agreed as being admissible in court.

It also has to be complete and fair but, most importantly, it has to be handled in the correct manner.

Evidence is not a property of the data; it is a feature that emerges as a result of the way that the data is processed.

This means that a lot of planning has to go into the handling of computers that might have potential evidence held on them.

For example, what should be done if a member of staff is accused of having downloaded illicit material, such as unlicensed software or paedophilia?

What should be done if a web server is discovered as having been hacked? What should be done if malicious or threatening email appears to have been sent by an employee?

In all of these cases, the computers will contain useful information that can potentially be used as evidence, but which can also be damaged if handled incorrectly.

An all too human reaction to the prospect of illicit or interesting material on a computer is to access the machine and to inspect it. But, of course, this will alter the information, even if it's just a time stamp, and make it very difficult to use in court.

It is far better to preserve the information, either by removing and copying the hard disk with a forensic imaging application such as Encase, or by using a monitored and witnessed back-up routine.

That way, the preserved version of the data can be stored and tendered as evidence, while still allowing the investigators to look for information on what might, or might not, have been done.

Bear in mind, though, that crossing all the bridges necessary to have evidence admitted in court is only the start of the battle; it is then necessary to be able to explain the relevance and importance of the evidence.

Even in our connected, increasingly IT-literate world, courts are still woefully non-computer expert places. Few judges are familiar with the technology, although some are making great strides.

Few barristers and solicitors know more than the basics, and certainly most jurors are confused by the arcane language of log files, email headers and the rest.

Computer evidence is therefore not a simple thing, but it is certainly true that the material can be invaluable.

Because of this, anyone involved in the field should encourage all systems operators to become familiar with the fundamentals and requirements.

After all, with such a fast-growing field of criminality, it is surely not a question of whether your computers will be involved, but rather of when.