The experts at DLA listed the following
steps every digital forensic investigators should follow to retrieve digital evidence:
1. Secure the computer system to ensure
that the equipment and data are safe. This means the detectives must make sure
that no unauthorized individual can access the computers or storage devices
involved in the search. If the computer system connects to the Internet,
detectives must sever the connection.
2. Find every file on the computer system,
including files that are encrypted, protected by passwords, hidden or
deleted, but not yet overwritten. Investigators should make a copy of all the
files on the system. This includes files on the computer's hard drive or
in other storage devices. Since accessing a file can alter it, it's important
that investigators only work from copies of files while searching for evidence.
The original system should remain preserved and intact.
3. Recover as much deleted information as
possible using applications that can detect and retrieve deleted data.
4. Reveal the contents of all hidden files
with programs designed to detect the presence of hidden data.
5. Decrypt and access protected files.
6. Analyse special areas of the computer's
disks, including parts that are normally inaccessible. (In computer terms,
unused space on a computer's drive is called unallocated space. That space
could contain files or parts of files that are relevant to the case.)
7. Document every step of the procedure.
It's important for detectives to provide proof that their investigations
preserved all the information on the computer system without changing or
damaging it. Years can pass between an investigation and a trial, and without
proper documentation, evidence may not be admissible.
8. Be prepared to testify in court as an
expert witness in computer forensics. Even when an investigation is complete,
the detectives' job may not be done.
All of these steps are important, but the
first step is critical. If investigators can't prove that they secured the
computer system, the evidence they find may not be admissible. It's also a big
job. In the early days of computing, the system might have included a PC and
a few floppy disks. Today, it could include multiple computers, disks, thumb
drives, external drives, peripherals and Web servers.
No comments:
Post a Comment