/ FEATURE
FORENSIC EXAMINATION
OF A COMPUTER SYSTEM
A generic technical security procedure
by Gary Hinson and Robert Slade
/ INTERMEDIATE
T
his paper explains the procedure involved in forensi- / Prepare in advance for forensic
cally examining digital evidence such as a hard drive investigations
obtained from a computer system allegedly involved • Prepare a ‘grab bag’ for use by the forensic investigation
in a crime. It does not cover “live forensics” – the forensic team when called out, containing suitable tools, storage me-
analysis of running systems - which requires special skills and dia, notes on procedure, etc.
techniques beyond the scope of this procedure. It is extremely Ensure the investigators are adequately trained to use
important that the procedure is followed carefully and sys- the tools, and the processes are repeatable and sustain-
tematically, since even minor improvisations or mistakes can able, regardless of which direction the investigation takes
compromise (i.e. damage or call into question) the evidence (e.g. whether the analysis is overt or covert).
or the analysis. That, in turn, could lead to a court case being • Your in-house resources and expertise may not fully cover all
dismissed. This is not the place to cut corners. aspects of digital forensic analysis (e.g. live forensics); or you
may not be sure of always having enough resources to respond
/ The procedure immediately. If so, consider identifying and perhaps contracting
Figure 1 shows the key activities in the overall process, in the with external specialists so that you can call them in at short
form of a fl owchart. The following sections explain the activi- notice, or send properly collected evidence offsite for further
ties in more detail and include pragmatic guidance. analysis in a secure manner. This kind of prearrangement (a form
Figure 1
21
DF1_21-26_3rd Feature.indd 21 29/10/09 5:07:57 pm