Unit 9 Assignment 1
Evidence Collection Policy
Evidence handling is clearly one of the most important aspects in the expanding field of computer forensics. The never-ending innovation in technologies tends to keep best practices in constant flux in effort to meet industry needs. One of the more recent shifts in evidence handling has been the shift away from simply "pulling the plug" as a first step in evidence collection to the adoption of methodologies to acquire evidence "Live" from a suspect computer Effectively Live forensics provides for the collection of digital evidence in an order of collection that is actually based on the life expectancy of the evidence in question. Simply put in all likelihood perhaps the most important evidence to be gathered in digital evidence collection today and for the foreseeable future exists only in the form of the volatile data contained within the computers RAM.
Order of volatility of digital evidence
1. CPU, cache and register content
2. Routing table, ARP cache, process table, kernel statistics
3. Memory
4. Temporary file system / swap space
5. Data on hard disk
6. Remotely logged data
7. Data contained on archival media
Stand Alone Home Computer
For proper evidence preservation, follow these procedures in order (Do not use the computer or search for evidence)
Photograph the computer and scene
If the computer is off do not turn it on
If the computer is on photograph the screen
Collect live data - start with RAM image (Live Response locally or remotely via F-Response) and then collect other live data "as required" such as network connection state, logged on users, currently executing processes etc.
If hard disk encryption detected (using a tool like Zero-View) such as full disk encryption i.e. PGP Disk — collect "logical image" of hard disk using dd.exe, Helix - locally or remotely via F-Response
Unplug the power cord from the back of the tower - If the computer is a laptop and does not shut down when...