Guiding Principles

There are two major categories of principles in the conduct of computer forensics. Both are designed to protect the investigator , the evidence, and the rights of the accused.

Ethics

First, the investigator must have the authority to seize and search the computer. In corporate settings, this is normally granted by policy. The company acceptable-use policy should state that the company has the right to conduct a search on any or all company equipment, at any time, for any reason. (Note: Government agencies and contractors working for government agencies might have different requirements. IRT personnel should consult with their legal counsel prior to drafting policies.)

Second, the search should have clearly defined goals."Fishing expeditions," in which a computer is searched for any evidence of any wrongdoing, have the potential to dramatically impact employee morale . Although the company probably has the legal right to randomly search company assets at any time, this will likely be perceived by employees as an unreasonable invasion of privacy.

Conduct of the Examination

There are basic rules to be followed in the conduct of any forensics examination. Although sometimes the specific situation might require an exception to these rules (some exceptions are covered in Chapter 11,"The Human Side of Incident Response"), following these rules will make any eventual legal proceeding much more likely to succeed.

When computer forensics was first introduced, investigators found themselves defending their actions during the course of the examination. In the same way that the defense attempted (and succeeded) to cast doubt on the purity of the DNA evidence in the O.J. Simpson trial, an attorney might attempt to convince the court that the computer evidence has been tampered with or tainted by the investigation. The following rules are designed to make it more difficult to tamper with evidence:

1. The examination should never be performed on the original media. An exact copy is made of the media, the original is then secured as evidence, and all examinations are performed on the copy.

2. The copy is made onto forensically sterile media. This means that the target media either is new and still in the shrink-wrap or has been cleaned of all old data. Given the relatively low cost of storage today, new media should always be used if available.

3. The copy of the evidence must be an exact, bit-by-bit copy. A simple DOS copy is not sufficient because it will not include deleted files, file slack , and other information.

4. The computer and the data on it must be protected during the acquisition of the media to ensure that the data is not modified. This includes ensuring that the computer operating system does not access the evidence disk at any point in the examination. Specific requirements for media acquisition are provided in the section "Media Acquisition Tools," later in this chapter, but the computer must never be allowed to boot up using the evidence drive.

5. The examination must be conducted in such a way as to prevent any modification of the evidence. Simply viewing a file will change the attributes of that file. When it is not possible to prevent data modifications, it is even more important to perform the examination on a copy of the media.

6. The chain of custody of all evidence must be clearly maintained to provide an audit log of who might have accessed the evidence and at what time.

Fortunately, there are checklists and guidelines that provide assistance in maintaining these rules. Some of the forensics software described later in this chapter is specifically designed, for example, to protect the original files from modification.