Page 25 of 52
Previous Page     Next Page        Smaller fonts | Larger fonts     Go back to the flash version
/ FEATURE
farm (NAS or SAN) dedicated for forensics. In that case strong
/ Further information
logical access controls are required to mirror the physical
The US Department of Justice’s digital forensics process access controls normally used (for instance to prevent data
flowchart (PDF) is primarily aimed at investigative team
from different cases mingling, and to cleanse used storage
leaders, while their guide for first responders is a helpful
briefing to prepare forensics team members for what they
thoroughly before reuse).
ought to be doing when called out.
• One of the evidential images may be kept in reserve to be
given to the counterparty in a court case for their forensic
examination, if required. You may also decide to create an
machine and return it either to secure storage or to the owner, ‘insurance copy’ in case the first evidential copy is compro-
whichever management decides is appropriate. mised. This avoids having to take another copy of the original
• The precise dates and times of file activities, records in evidence (since each additional access slightly degrades its
logs, and incidents are often material to a case since they can evidential value). Use one evidential image for your subse-
establish the exact sequence of key events. Even small timing quent forensic analyses and, remember to keep the chain of
discrepancies may be enough to raise doubts and discredit custody up to date at every step.
the evidence, so be careful.
/ Physically secure both the original
/ Install a hardware “write blocker” before evidence and all evidential copies
any captured hard drive is powered up • Store the media containing the evidential images, plus the
• This step is vital. While forensic software is designed not to original hard drives, the system itself (without its battery if it
write to drives being copied, you cannot testify to this in court is a laptop) and the associated paperwork in a fireproof safe
unless you actually wrote the software or have proven the or other secure area, such as a secure storage facility that is
capability beyond all reasonable doubt. The key advantage of under constant video surveillance or security monitoring.
using a commercial hardware write blocker is that its suit- • Do not remove any evidence unless: (a) you are going to
ability has already been established in court. With the write analyze it forensically, in which case you must update the chain-
blocker in place protecting the original drive whenever it is of-custody forms accordingly and protect the items while being
powered up, there can be no reasonable claim that you might examined; or (b) you are taking it to court, or handing it over
have inadvertently or deliberately altered data on the disk. to law enforcement or legal representatives, in which case you
• Important: remember this step in the unlikely event that you must still maintain the chain of custody; or (c) the case is over
ever need to take additional copies of the original evidence for and the evidence is no longer required. In any event, your foren-
any reason. sics procedures should state who may authorize the removal of
evidence from safe storage, and how this authority is recorded.
/ Create one or more forensic “evidential
images” of each original disk
• The types of copy (evidential and working) that you will
If necessary, retrIeve any
need, and their relationships to each other and the original
fIles or other InformatIon
evidence, are shown in Figure 2.
• Ideally, use suitable digital forensics hardware (as well as a
that the user legItImately
write-blocker as mentioned above) to take accurate bit-copy
needs, on theIr behalf,
images of the hard drives, USB sticks, CDs, DVDs, or whatever
original storage media were recovered from the machine.
from the workIng copy
• It often pays to take multiple evidential images using dif-
ferent forensic software. This may seem excessively cautious / Take one or more working copies of one of
and tedious but is definitely better than trying to defend the the evidential image/s
integrity of a single evidential image later in court, particularly • From now on, you will be examining the working copy or copies.
in serious criminal cases. If, for whatever reason, a working copy is damaged or somehow
• Generate both MD5 and SHA1 hashes for the evidential its integrity is brought into question, it can be replaced with a
images, and verify the hashes for every evidential image (or new working copy taken from the evidential image.
image segment) against those calculated from the original • Remove the evidential image from safe storage, completing
media. If you are working with a partner, your partner should the chain of custody form.
validate the hashes and record the results formally as part of • Use suitable forensic software to prepare one or more
the case notes. working copies, ideally in the same way that you created the
• Store the evidential images along with the hash values. Ide- evidential image earlier.
ally you should store these on DVD or, if too large for a DVD, • Take additional copies for other analysts if appropriate,
on external hard drives. These should be purchased especially but remember that they may well contain confidential data
for this purpose. Do not try to re-use old DVDs or drives – and should be suitably protected at all times. Don’t just
penny-pinching now may destroy the entire case. If the volume leave them lying around as they could be stolen, copied
of work justifies the expense, you may have access to a disk or damaged.
25
DF1_21-26_3rd Feature.indd 25 30/10/09 4:26:20 pm
Previous arrowPrevious Page     Next PageNext arrow        Smaller fonts | Larger fonts     Go back to the flash version
1  |  2  |  3  |  4  |  5  |  6  |  7  |  8  |  9  |  10  |  11  |  12  |  13  |  14  |  15  |  16  |  17  |  18  |  19  |  20  |  21  |  22  |  23  |  24  |  25  |  26  |  27  |  28  |  29  |  30  |  31  |  32  |  33  |  34  |  35  |  36  |  37  |  38  |  39  |  40  |  41  |  42  |  43  |  44  |  45  |  46  |  47  |  48  |  49  |  50  |  51  |  52