Resources
- Overview
- Neohapsis Service Datasheets
- Security Mailing List Archives
- OSEC
- Ports List
- Securing Electronic Evidence
- Digital Forensics - Hypothetical Cases
Securing Electronic Evidence
Electronic information contained on computer media is very fragile and must be handled with extreme care. These guidelines should be followed any time you suspect that computer media contains relevant information regarding an investigation.
STEP 1: Identify Any Computer Media That May Contain Evidence
You must first identify where the evidence may exist. A good place to start is by identifying the people involved and their computer access. Consider the following:
Physical location:
- Work
- Home
- Third party (e.g. email recipients or senders)
Computer:
- Desktop
- Laptop
- Server
- PDA
Media
- Hard-drive
- Floppy disk
- Zip® disk
- CD
- Backup tape
STEP 2: Quarantine The Identified Computer(s) And Media
Whether the electronic evidence is part of a legal or corporate investigation, maintaining a good chain of custody of the suspected computer media is critical. Through proper handling procedures, your organization can ensure the integrity of the evidence.
- Do not attempt to perform an investigation on the computer media; this could alter or destroy electronic evidence
- Designate a limited number of people to handle the evidence, preferably one
- Unplug the power from the computer
- Do not perform a “Shutdown”
- Move the computer and any related media to a secure location
- Restrict access to the computer media
- Consider whether court orders are necessary to secure electronic evidence on third party and home computer media and subpoena the material quickly.
STEP 3: Create Forensic Mirror Image Of Computer Media
When it is time to perform the investigation, it is critical that the work is performed on a physical bit-stream copy of the media, not on the original. This requires special hardware and software designed to capture all of the electronic information on computer media (e.g. logical files, deleted files, file slack, and unallocated space) and to insure its integrity. Once the mirror image has been created, the original computer media can be put back into circulation.
Please try and gather as much of the following information before you call:
- Type of computer (e.g. desktop, laptop, server, Mac, UNIX)
- Operating system (e.g. Windows 2000 or Linux Red Hat 6.0)
- Capacity of computer media
- Type of access and dependency the computer had to a network
- The estimated skill level of the computer user in question
- Types of applications used on computer