24.1 Preparation

Previous page
Table of content
Next page

24.1 Preparation

It is a good practice to begin a new matter by preparing an organized, sanitized working environment with ample space. In forensic computer analysis, this involves preparing adequate and safe media on which to copy the data to be processed. As a general rule, we recommend "wiping" or overwriting a hard drive with a known pattern of data before formatting it to receive the new, case-related data. Wiping the hard drive prevents cross-contamination between evidence sources and using a known pattern of data enables you to verify that the wiping was performed correctly - empty space should only contain the overwrite pattern. We also recommend labeling/naming your work drives during formatting so that they are easily identifiable weeks, months, or years into the future. Next, create a practical directory structure on the working hard drive. We recommend building a customary set of working directories prior to beginning processing. In addition to providing the examiner with an organized work environment, this directory structure imposes a structure on the work product that is reproducible and understandable by one's coworkers. The following is a sample directory structure for organizing a Work drive:

  • \Prepare - The root directory to hold files requiring further processing.

  • \Prepare\special - Holds encrypted, compressed, undeleted files prior to further processing.

  • \Prepare\slack - Holds extracted slack space prior to further processing.

  • \Prepare\pcluster - Holds extracted unallocated cluster data prior to further processing.

  • \Review - The root directory to hold the final work product.

  • \Review\files - Holds the reduced set of unprocessed files.

  • \Review\slack - Holds the processed slack space data.

  • \Review\clusters - Holds the processed unallocated cluster data.

  • \Review\processed - Holds other processed data (e.g. decrypted data, expanded zip files, e-mail).

  • \Duplicates - Holds duplicate files.

  • \Accounting - Holds all logs or reports generated in the processing activity. This is the examiner's audit trail.

Note that once the examiner has decided upon a model scheme of organizing data on the Work drive, the directory setup can be automated using a batch file. As a final point on beginning preparations, it is advisable to use read-only devices when operating on the original or source data. The processing steps presented here will alter crucial aspects about the processed files, not the least of which are the file date and time stamps. Accordingly, the examiner should always protect his or her source data.



Previous page
Table of content
Next page
Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279
Authors: Eoghan Casey BS MA
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
Image Processing with LabVIEW and IMAQ Vision
WebLogic: The Definitive Guide
Special Edition Using Crystal Reports 10
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy