Chapter 9. Forensics II

Although a forensics examination might be tedious , it is generally a straightforward process. A trained investigator can, by following a standard set of rules, be reasonably assured that most of the incriminating data in the media will be found and the evidence will be admissible . However, there are special cases in which the standard guidelines cannot be followed without variation or the situation presents unique considerations.

For example, the investigator might be asked to conduct a search without alerting the suspect or suspects that the search was occurring. In such a case, the team is not able to seize the computer without the subject's knowledge. The team might also be asked to investigate systems that cannot, for one reason or another, be taken offline.

Companies might also have legacy systems or applications that might be involved in an incident. Although conventional forensics might be able to recover some data, if the data is in some sort of proprietary format, recovery alone is insufficient. It is possible that the only system capable of reading or interpreting the data is the system under investigation. Even the hardware might be proprietary or obsolete. In one incident, some evidence data was stored on 5.25-inch floppy disks. However, the forensics equipment had no 5.25-inch floppy drives available. An older PC, destined for the trash heap, had to be cannibalized to provide a method of recovering the data.