Computer
Forensic Investigation Computer
Forensics Training Information CyberTip 2: Computer Forensics:
First Response for Forensic Evidence Preservation
- Securing the Scene -- Investigator Safety
is the first priority; Preserve the area for
traditional physical evidence (fingerprints,
etc.); Quarantine the computer and sources of
digital evidence, and restrict ALL access to
any computer(s) and digital media.
- If the computer is OFF, DO
NOT TURN IT ON.
Never attempt to turn on a computer without
proper training and tools or destruction of
evidence will occur.
- If the computer is ON “seek the assistance
of a trained computer specialist.” If
the computer system is networked or used for
business purposes a computer specialist should
be consulted before disconnecting. Improper
procedures may result in damage to the system,
disruptions of legitimate businesses, and create
liability on the part of the investigator or
officer.
- Photograph and document the scene. When photographing,
make sure that all sides of the computer are
photographed, especially any connections.
- If the computer is a Windows or Macintosh.
(non-Unix, Linux, or Server), disconnect the
power cord from the BACK of the computer. DO
NOT turn off using the power switch; this will
change critical data. Suspects may have wired
the power switch to destroy data.
- Place evidence tape over all drives slots
and the case housing.
- Label each cable at both ends. Making sure
that full reassembly is possible.
- Package equipment in protective cases. Use
anti-static bags and protect from any magnetic
fields. DO NOT transport near
radios or electronic equipment.
Always look for other forms of cyberevidence:
Electronic Organizers; Cellular phones, Pagers;
Facsimile Machines; Caller ID Devices; Smart Cards;
Storage medium: Floppies; Tapes; Compact Discs;
Hard Disks; and Removable media.
|