Digital Evidence Collection and Data Seizure
Project Name: Digital Evidence Collection and Data Seizure
Description: This blog will help all forensics investigator for Digital Evidence Collection and Data Seizure
Author: Rohit D Sadgune
Frequently Asked Question on Computer Forensics Investigation
- Checklist of Digital Evidence Collection and Data Seizure
- Make sure that once you’ve created a master copy of the original data, you don’t touch it or the original itself—always handle secondary copies.
- Have procedures in place to document the nature, extent, and reasons for changes to the data.
- Make sure you understand what you are doing, because you have to be able to account for any changes you made and describe exactly what you did. If you ever find yourself out of your depth, either learn more before continuing (if time is available) or find someone who knows the territory.
- Make sure your plan of action is not based on trial and error. No one is going to believe you if they can’t replicate your actions and reach the same results.
- Work fast, so that there is a less likelihood that the data is going to change.
- Always try to collect the most volatile evidence first, because some electronic evidence is more volatile than others. You should proceed from volatile to persistent evidence.
- Never, ever shut down a system before you collect the evidence.
- Avoid rebooting at all costs. It is even worse than shutting a system down and should be avoided. As a general rule, until the compromised disk is finished with and restored, it should never be used as a boot disk.
- Any programs you use should be on read-only media (such as a CD-ROM or a write-protected floppy disk) and should be statically linked. Because the attacker may have left trojaned (trojan horse) programs and libraries on the system, you may inadvertently trigger something that could change or destroy the evidence you’re looking for.
- Make sure your planning stage takes place prior to any investigator arriving at the computer crime scene, including two ways to structure a team of investigators.
- Make sure that you have good case management software. It can go a long way in easing the burden of carrying out a search and seizure.