Home Computer Forensic Digital Evidence Computer Evidence Processing Steps

Computer Evidence Processing Steps

,

Computer evidence is fragile by its very nature, and the problem is compounded by the potential of destructive programs and hidden data. Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file.
Therefore, certain steps must be considered for processing any computer evidence.The general computer evidence processing steps are:
  1. Obtain the volatile data (if possible or necessary)
  2. Shut down the computer.
  3. Document the hardware configuration of the system.
  4. Transport the computer system to a secure location.
  5. Make bit stream backups of hard disks and floppy disks.
  6. Mathematically authenticate data on all storage devices.
  7. Document the system date and time.
  8. Make a list of key search words.
  9. Evaluate the Windows swap file.
  10. Evaluate file slack.
  11. Evaluate unallocated space (erased files).
  12. Search files, file slack, and unallocated space for keywords.
  13. Document file names, dates, and times.
  14. Identify file, program, and storage anomalies.
  15. Evaluate program functionality.
  16. Document your findings.
  17. Retain copies of software used.
                                  Computer Evidence Processing Steps Computer Evidence Processing Steps Reviewed by Unknown on 6:58 PM Rating: 5

                                  No comments:

                                  Subscribe to: Post Comments ( Atom )
                                  Forensicpedia.blogspot.com. Powered by Blogger.