This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ FEATURE
picions of the subject become public knowledge, the subject • Do not run a normal system shutdown because, if the
may have a case for slander or libel. Note that in this case you system has been hacked, the hacker may have launched a
may be subject to additional time limitations as well. ‘scorched-earth’ program designed to destroy potentially
incriminating information about the compromise (which of
/ Secure the scene course is valuable evidence) during the shutdown sequence. It
• Assuming you are conducting an overt rather than co- is a good rule to touch as little as possible – certainly not the
vert investigation, protect the crime scene (which includes keyboard or even the mouse.
the interior state of the system under investigation) from
interference or damage by controlling physical access to the / Plan your approach
scene. This prevents intrusions and interruptions while you • Now that the urgent tasks have been done, you have a
are working. breathing space to gather your thoughts and prepare for the
• The first rule of evidence collection, as in first aid and remaining activities.
medicine, is to “do no harm”. Whatever actions you take • Open the grab-bag, check the contents, and gather your
must not damage or corrupt the evidence, particularly the thoughts. The bag will most likely contain an inventory or
primary evidence at the scene. Be especially careful to follow checklist, forensics hardware, software, blank storage media,
the procedures exactly in order to prevent scene or evidence evidence forms, procedures, guidelines and other items that
contamination by you or other investigators. are likely to be useful during the process (e.g. a camera).
• For covert or particularly sensitive investigations, it is always Make yourself comfortable: this is going to be a long session!
a good idea to work with at least one partner. Then each inves- • Consider videotaping the evidence collection procedure to
tigator can testify to the nature of the work done by the other. create an additional record of exactly what happens at the
scene and perhaps to use for training other investigators and
/ Decide quickly what to do about any computer for lessons-learned exercises.
systems that are currently running
• Depending on the specific circumstances and relevant poli-
For covert or particularly
cies, you may need to make key decisions at the scene. There
is no single correct answer for all situations.
sensitive investigations, it is
• Will you leave the computer switched on or turn it off? With
always a good idea to work
an uninterruptable power supply (UPS), it is possible to keep
a system powered on while transporting it to the forensics
with at least one partner
laboratory for analysis of live running processes. However,
forensic analysis of live systems is a specialized task beyond / Start the forensics paper trail and collect
the scope of this procedure. primary evidence
• Will you maintain network connectivity or simply disconnect • Create a new unique case identifier if necessary, following
the LAN cable? Cutting off the network connection should your organization’s conventions for case ID formats (for example
contain a network-based intrusion and stop any further based on the date of the initial capture of the evidence). This ID
outflow of information. But remember that a compromised will be used on all the paperwork associated with this case.
machine may be using a wireless network connection, so • Use appropriate forensic techniques for all seizures. Use
disconnecting the Ethernet cable may not be enough to stop gloves, evidence bags, tags, etc. when handling physical
a network compromise in its tracks. Another consideration items, particularly if they might contain valuable fingerprints
is that cutting off the network may trigger a ‘scorched-earth’ or DNA evidence.
response (more below). • Ensure you have the right or permission to examine the
• It helps to decide in advance what you plan to do in such evidence. Even where you have authorization from manage-
situations. Of course, if you do not have the technical capabil- ment, it may be worth writing receipts for items taken from
ity (skills, procedures and tools) to conduct live forensics, the scene. Generally speaking you are obliged to return seized
there is no point in considering that particular option. items as soon as possible after seizing and analyzing them.
• Start with the most volatile forms of evidence, the things that
/ If you decide to power-down the system, might ‘evaporate’ of their own accord or be compromised during
disconnect the power cable immediately the analysis (for example the contents of RAM and perhaps page/
• Speed is of the essence in this section. The compromise swap files). The corresponding tools and techniques should ide-
may be continuing right now for as long as it takes you take ally have been prepared and rehearsed in advance to save time.
to agonize over the decision, so quickly double-check that the • Create new unique item numbers for every item of evidence
system or systems you are dealing with are in fact the right captured. These might include the computer system itself and
ones, and disconnect the power cable. its hard drives, USB memory sticks, and CD or DVD media.
• In the heat of an incident, it is all too easy to pull the wrong Item numbers are normally just serial numbers appended to
cable, perhaps taking an important system offline with poten- the case ID. List all the items on the evidence inventory form.
tially serious consequences, not to mention embarrassment • Record relevant details about the system and its data storage
for those responsible. Don’t do it! devices on evidence record forms, one sheet per evidence item.
23
DF1_21-26_3rd Feature.indd 23 29/10/09 5:07:58 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com