Hello,

Here's a scenario. Lets say my computer is being examined by the a dodgey police forensics expert. If they tamper with any of the information on the hard drive, could they do so without leaving any evidence of what they have done and changed?

For example, what if they changed a filename or a registry entry to read something else to make it look incriminating? How could you prove by using another independent forensics expert, that a filename or a registry entry was changed?, or would that not be possible?

Cheers,

You shouldnt worry. If they have done their job properly in the first place, they should have forensically imaged the hard disk drive. If this has been done, you should get a MD5 Hash, (a sort of digital fingerprint). If the hard drive is imaged again and the hash doesnt match, then evidentially speaking, they are not the same and a decent lawyer should be able to get the evidence dismissed.

I hope that helps.

Simon