Home Computer Forensic Digital Evidence Tips For Handling Digital Evidence

Tips For Handling Digital Evidence

,

Using the preceding "five rules of collecting digital evidence" that i mention last post, you can derive some basic of things that should do’s and don’ts:
  1. Minimize handling and corruption of original data.
  2. Account for any changes and keep detailed logs of your actions.
  3. Comply with the five rules of evidence.
  4. Do not exceed your knowledge.
  5. Follow your local security policy.
  6. Capture as accurate an image of the system as possible.
  7. Be prepared to testify.
  8. Work fast.
  9. Proceed from volatile to persistent evidence.
  10. Don’t shutdown before collecting evidence.
  11. Don’t run any programs on the affected system.

1. Minimize handling and corruption of original data
  • Once you’ve created a master copy of the original data, don’t touch it or the original.
  • Always handle secondary copies. 
  • Any changes made to the originals will affect the outcomes of any analysis later done to copies. 
  • You should make sure you don’t run any programs that modify the access times of all files (such as tar and x-copy).
  • You should also remove any external avenues for change and, in general, analyze the evidence after it has been collected.
2. Account for any changes and keep detailed logs of your actions
  • Sometimes evidence alteration is unavoidable. 
  • In these cases, it is absolutely essential that the nature, extent, and reasons for the changes be documented. 
  • Any changes at all should be accounted for—not only data alteration but also physical alteration of the originals (the removal of hardware components).
3 .Comply with the five rules of evidence
  • The five rules are there for a reason. 
  • If you don’t follow them, you are probably wasting your time and money. 
  • Following these rules is essential to guaranteeing successful evidence collection.
4. Do Not Exceed Your Knowledge
  • If you don’t understand what you are doing, you can’t account for any changes you make and you can’t describe what exactly you did. 
  • If you ever find yourself “out of your depth,” either go and learn more before continuing (if time is available) or find someone who knows the territory. 
  • Never soldier on regardless. You’ll just damage your case.
5. Follow your local security policy
  • If you fail to comply with your company’s security policy, you may find yourself with some difficulties. 
  • Not only may you end up in trouble (and possibly fired if you’ve done something really against policy), but you may not be able to use the evidence you’ve gathered. 
  • If in doubt, talk to those who know.
6. Capture as accurate an image of the system
  • Capturing an accurate image of the system is related to minimizing the handling or corruption of original data. 
  • Differences between the original system and the master copy count as a change to the data. 
  • You must be able to account for the differences.
7. Be prepared to testify
  • If you’re not willing to testify to the evidence you have collected, you might as well stop before you start. 
  • Without the collector of the evidence being there to validate the documents created during the evidence-collection process, the evidence becomes inadmissible. 
  • Remember that you may need to testify at a later time. 
  • No one is going to believe you if they can’t replicate your actions and reach the same results.  
  • This also means that your plan of action shouldn’t be based on trial-and-error.
8. Work fast
  • The faster you work, the less likely the data is going to change. 
  • Volatile evidence may vanish entirely if you don’t collect it in time. 
  • This is not to say that you should rush.
  • You must still collect accurate data. 
  • If multiple systems are involved, work on them in parallel (a team of investigators would be handy here), but each single system should still be worked on methodically. 
  • Automation of certain tasks makes collection proceed even faster.
9. Proceed from volatile to persistent evidence
  • Some electronic evidence is more volatile than others are. 
  • Because of this, you should always try to collect the most volatile evidence first.
10. Don’t shutdown before collecting evidence
  • You should never, ever shutdown a system before you collect the evidence. 
  • Not only do you lose any volatile evidence, but also the attacker may have trojaned (viaa trojan horse) the startup and shutdown scripts, plug-and-play devices may alter the system configuration, and temporary file systems may be wiped out. 
  • Rebooting is even worse and should be avoided at all costs. 
  • As a general rule, until the compromised disk is finished with and restored, it should never be used as a boot disk.
11. Don’t run any programs on the affected system
  • Because the attacker may have left trojaned programs and libraries on the system, you may inadvertently trigger something that could change or destroy the evidence you’re looking for. 
  • Any programs you use should be on read-only media (such as a CD-ROM or a write-protected floppy disk) and should be statically linked.
    

Tips For Handling Digital Evidence Tips For Handling Digital Evidence Reviewed by Unknown on 9:39 AM Rating: 5

No comments:

Subscribe to: Post Comments ( Atom )
Forensicpedia.blogspot.com. Powered by Blogger.