The forensic examination of electronically stored information (ESI) is a science and is treated by the courts in most countries. Forensic examiners are usually certified after a course of training which can last several years depending on the depth of knowledge being sought. There are some simple rules that forensic examiners follow so they can preserve the evidence without corruption.
Rule Number One:
If you are not a forensic examiner, you should not touch any computer-related material or equipment at the scene. This scene should be treated as a crime scene, and as a first responder, your job will be to preserve the scene and prevent anyone from contaminating or corrupting it in any way.
Rule Number Two:
Document your observations. Make sure you are at the correct location. Make sure you have your written authorization in your possession (whether a warrant, a subpoena, or written permission from the data owner). Begin the documentation process by placing a small digital audio recorder in your shirt pocket after you turn it on and state your name, date, time zone, location (either address or geopolar coordinates), and your case number if you have one. Do not shut off the recorder until you depart the scene. If you are in a two-party state (where all parties are required to be notified that you are making an audio recording), make sure you obtain oral permission to record from each person you speak to. If they decline to give you that permission, advise them not to speak or leave the scene immediately but do not stop the recording. It will become evidence at some point (usually the moment the recording is stopped), and any break in the record of your activities will diminish the credibility of what you are doing.
Take photographs of EVERYTHING! Take pictures of the area surrounding the building where the computer equipment is located. Make sure the camera can record the date, time, and geopolar coordinates where the picture was taken. Include people in the pictures if they are present. You may need them as your investigation progresses. Photograph the street address of the location of the computer equipment, either on the building itself on at the curb with the building in view.
Begin taking pictures as soon as you enter the building and orally record what you are photographing. If you like, you may use a video recorder, but general individual pictures are better as your evidence is presented. Remember, too, that if you are relying on the audio portion of the video recorder as your audio record when you shut off the camera, the audio stops. You want to avoid that if you can.
Rule Number Three:
Identify each piece of equipment, including make, model, model number, serial number, purpose (server, workstation, printer, etc.), and description of physical appearance, cables, and power cords plugged into the piece of equipment and where they each go. Record the state of the computer the moment you first see it. Is it turned on or off? Is the screen active? If so, what does it depict? Are any drive, power, or signal lights on? If so, what do they indicate? If this is a crime scene, the crime scene investigators may want to dust for fingerprints, collect physical evidence (hair, fibers from clothing), DNA samples, and other things. Let them do that first but caution them to try not to disturb the state of the computer if they can avoid doing so.
Rule Number Four: (This is the most critical rule of all)
Make a forensically sound copy of the information in random access memory (RAM), graphics memory, and the system’s state. Next, make a forensically sound copy of the magnetic media (hard drives, thumb drives, floppy diskettes, tape backups, etc.) In many cases, depending on your authorization, you will simply power down the equipment after making a copy of memory and state and taking everything back to the lab for examination. If you do not know how to make a forensically sound copy of memory or magnetic media, find someone who does and get them to do it. Failure to observe this rule could taint your case to the point where the evidence could become inadmissible because it was altered by someone who didn’t understand the process.
Rule Number Five:
Begin a Chain of Custody Log at the point where you decide to take possession of anything that doesn’t belong to you. Record everything necessary to establish custody, identification of the custodian, identification of the property, location of each item, and disposition.
Rule Number Six:
Create a three-part receipt for the property you take custody of and have the owner of the property sign an acknowledgment that you have taken custody of the property if the owner is present. If the owner is not present, have the person apparently in charge sign the receipt. Then provide that person with the third copy of the receipt. Take the other two with you. Place the original in the case file folder and place the copy with the property when you deposit it into the property room for safekeeping.
Post your comment on this topic.