Best Practices for Computer Forensics in the Field
By Carol L. Stimmel, CCE, Principal, citsf.com
Every effort has been made to ensure the accuracy of the contents at the time of publication. Neither CITSF nor the author give any guarantee as to the accuracy of the information contained in them, nor accept any liability, with respect to loss, damage, injury or expense arising from any such errors or omissions in the contents of this work.
Introduction
Computer forensic examiners are responsible for technical acuity, knowledge of the law,and objectivity in the course of investigations. Success is principled upon verifiable and repeatable reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best evidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are meant to be reviewed and applied based on the specific needs of the organization, the case and the case setting.
Job Knowledge
An examiner can only be so informed when they walk into a field setting. In many cases, the client or the client’s representative will provide some information about how many systems are in question, their specifications, and their current state. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, cracking laptop computers, password hacking and device interfaces. A seizure that brings the equipment back to the lab should always be the first line of defense, providing maximum flexibility. If you must perform onsite, create a comprehensive working list of information to be collected before you hit the field. The list should be comprised of small steps with a checkbox for each step. The examiner should be completely informed of their next step and not have to “think on their feet.”
Overestimate
Overestimate effort by at least a factor of two the amount of time you will require to complete the job. This includes accessing the device, initiating the forensic acquisition with the proper write-blocking strategy, filling out the appropriate paperwork and chain of custody documentation, copying the acquired files to another device and restoring the hardware to its initial state. Keep in mind that you may require shop manuals to direct you in taking apart small devices to access the drive, creating more difficulty in accomplishing the acquisition and hardware restoration. Live by Murphy’s Law. Something will always challenge you and take more time than anticipated -- even if you have done it many times.
Inventory Equipment
Most examiners have enough of a variety of equipment that they can perform forensically sound acquisitions in several ways. Decide ahead of time how you would like to ideally carry out your site acquisition. All of us will see equipment go bad or some other incompatibility become a show-stopper at the most critical time. Consider carrying two write blockers and an extra mass storage drive, wiped and ready. Between jobs, make sure to verify your equipment with a hashing exercise. Double-Check and inventory all of your kit using a checklist before taking off.
Technolgy News
- No items.
Share it!