23.2 Preservation


23.2 Preservation

  • Unplug power from hard drives.

  • If booting the evidence system from a Evidence Acquisition Boot Disk, check the CMOS settings to ensure it is configured to boot from the floppy disk before the hard drive. Also, test booting from the floppy while the hard drives are disconnected to ensure that system boots successfully from floppy disk (a faulty floppy drive can prevent booting from a floppy, causing the computer to boot from the hard drive). Another approach is to connect the hard drive to an evidence collection system as discussed in Chapter 9.

  • Note the current date and time and the date/time on the computer (note any discrepancies).

  • Make two copies of all digital evidence to sanitized collection disks (consider making a bitstream copy if there might be valuable evidence in slack space). Whenever possible, check each copy on another computer to ensure that the copy was successful.

  • Check size and integrity of data, to determine if there are hidden partitions or the acquisition was incomplete for some reason.

  • Label, date, and initial all evidence. Include the type of computer (e.g. Digital Alpha, Sun Sparc2) and operating system (e.g. Windows 95, Mac OS, UNIX), what program(s) and/or command(s) you used to copy the files.

  • Inventory contents of all disks, including attributes such as physical sector location, file creation and modification dates. Ideally, inventory original media to document the directory structure - this provides context of where each file was located on the original system and, upon closer inspection, may reveal files that have been overlooked. Calculate the message digest of all files and disks. Also, make a brief note describing the significance of the evidence to help others understand why it was collected. This type of inventory is not only useful for documentation purposes, it also gives an overview of what is on the system, what types of applications are installed, if encryption might be used.

23.2.1 If Only a Portion of the Digital Evidence on a Computer is Required

  • Note the current date and time and the date/time on the computer (note any discrepancies). If investigators do not realize that a computer clock is inaccurate this can skew their crime reconstruction. For instance, if the time a file was created is important, investigators should be sure that they know the actual time the file was created and not an inaccurate time set by the computer.

  • Note full file and path names, date-time stamps, sizes, and MD5 values of files.

  • Compress files into an archive to preserve their data-time stamps and save the archive to sanitized collection disks.

  • Also make two copies of all evidence in uncompressed form to sanitized collection disks. Whenever possible, check each copy on another computer to ensure that the copy was successful.

  • Label, date, and initial all evidence using an indelible felt-tipped pen. Include the name of the operating system (e.g. Windows 95, Mac OS, UNIX), what program(s) and/or command(s) you used to copy the files.

  • Inventory contents of all disks, including file creation and modification dates. Calculate the message digest of all files and disks. Also, make a brief note describing the significance of the evidence to help others understand why it was collected.

23.2.2 Sample Preservation Form

click to expand




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net