Secure the Crime Scene

Securing the crime scene requires that the analyst ensure the physical and logical security of components present. Physical security is essential in preserving evidence, reducing potential contamination, and safeguarding the data necessary for a case. For physical scenes, the area surrounding the suspect devices should be secured. Ideally, the physical security specialists on a team will be specifically trained at securing the physical scene, but there might be occasions when the computer investigator is the first to arrive or the only individual present. If so, the following actions should be taken:

  • At a minimum, the office, cubicle , or room in which the equipment resides should be cordoned off with security tape.

  • If possible, the area in question should be locked.

  • Individuals who are not part of the response team should be denied access to the area.

  • Response team members should sign in to the logbook before entering the area.

  • Any items leaving the area must be signed out in the logbook before being removed from the area.

  • No extraneous items should be brought into the area (for example, coffee and pastries).

The physical security of the scene is paramount to avoiding evidence contamination during an investigation, but for the computer analyst, ensuring the physical security of any electronic equipment is only half of the task. Logical security of the data on the equipment must likewise be ensured. The best way to ensure logical security of the data is to make a forensic copy. The acquisition of hard drives and other media will be covered in later chapters, but duplicates of log files that may be overwritten or volatile information including current network connections may need to be performed immediately to ensure that the logical information is safeguarded. Securing the logical scene will be highly dependent on the specific environment, but here are a few items to consider:

  • Remove all unnecessary network connections. Unless one is monitoring current activity as part of the investigation physically or logically, disconnect any segments that are not necessary for the examination. Do not forget about phone lines.

  • Copy volatile data quickly. Volatile data is information that may be altered before more detailed analysis can occur. This can include cell phone received call logs (another call can come in and drop the last item), event logs (which can be set to overwrite based on size ), cached information (address resolution protocol caches of MAC<->IP translations are notoriously short), and active application information (what is currently on the screen). The copying can be accomplished using a pen and paper, digital camera, or electronic media.

  • Power down associated devices by removing the power source if malicious destruction is suspected, but do not use the Power Off button. If one encounters a computer where programs are being actively deleted, shutting down the system might prevent further destruction.

  • Ensure appropriate power for dynamic memory-based electronic devices. Not all devices have permanent storage or backup batteries (which may lose charge) and, thus, rely on a constant power source to retain information. These may include fax machines, PDAs, and network devices.



Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net