Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Monday, August 31, 2009

Preservation of Digital Evidence

The forensic engineer should take steps to ensure the safety of all persons at the scene and to protect the integrity of all evidence, both traditional and electronic.
  • Follow jurisdictional policy for securing the crime scene.

  • Ensure that all persons are removed from the immediate area from which evidence is to be collected.

  • Don’t shutdown before collecting evidence.
    -There is the possibility of loss of volatile evidence and the attacker may have trojaned the startup and shutdown scripts, Plug and Play may alter the system configuration and temporary file systems may be wiped out.

  • Don’t run any programs on the affected system.
    -There is the possibility of inadvertently triggering something that could change or destroy evidence.
    - Any programs used should be on read-only media and should be statically linked.

  • Protect perishable(volatile) data physically and electronically.
    - Network Information : Communication between system and the network
    - Active Processes : Programs and daemons currently active on the system
    - Logged-on Users : Users/employees currently using system
    - Open Files : Libraries in use; hidden files; Trojans (rootkit) loaded in system
    - Hardware : pagers, caller ID boxes, electronic organizers, cell phones
    - All related evidence should be taken out of RAM

  • Forensic Engineer must handle the Evidence with delicate care and accuracy.
    – Maintain a Chain of custody: Evidence form and locker.
    – Who, How and Why was it collected..
    – Who took possession of it?
    – How was it stored and protected.
    – Who and why was it taken out of storage?
    – ISP normally maintain logs for about 30 days.
    – Assign an evidence custodian.
    – Identify and label everything.
    – Case number, description, signature, date and time.
    - Document the time and date of the CMOS
    – Photograph/video tape the crime scene.

  • A copy of the digital evidence from the hard drive(s) should be made. DISK IMAGING.

  • No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer

  • Prevent viruses from being introduced to a computer during the analysis process

  • Extracted / relevant evidence is properly handled and protected from later mechanical or electromagnetic damage
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)