642    Chapter 11 • Operational and Organizational Security: Incident Response

                 Volatile data is any data that may be lost once power is lost. For example, if a
             computer is shut down or a power outage occurs, any evidence in the computer’s
             Random Access Memory (RAM) will be lost. For this reason, nothing that is pow-
             ered on at a scene should be touched until the evidence is ready to be collected. In
             other words, if a system is on, leave it on.When an investigator arrives and is ready
             to begin collecting data, volatile data should be the first evidence collected.
             Exercise 11.02 demonstrates how to obtain volatile data from a Windows machine.
                 If pagers, cell phones, or other equipment that contain possible evidence and
             runs on battery are involved, they need to be preserved for immediate examination.
             Phone numbers, pages received by the person, and other evidence could be lost
             once the battery power runs out. Document anything that is visible through the
             display of a device, and photograph it if possible.
                 The same applies to any computers that are turned on at the crime scene.
             Information displayed on a computer’s monitor may be lost if the computer is shut
             down. Photographing the screen will preserve information that was displayed on
             the screen at the time of seizure. If a camera is not available, keep detailed notes on
             what appeared on the screen, including any error messages, text in documents, or
             other information.
                 If a system has power, it is advisable to make an image of the computer’s hard
             disk before powering it down. Criminals sometimes “booby trap” their systems
             with malicious programs that may damage or erase data when the system is shut
             down or started up.An image can be created using special software that makes an
             exact bitstream duplicate of a disk’s contents, including deleted data that has not
             been overwritten. (In some cases, even partially overwritten data can be recovered.)
             If the system does not have power when you arrive on the scene, do not start it up.
             A duplicate of the hard disk’s contents can be created using imaging software, by
             booting the system safely from a floppy, preventing any malicious programs from
             damaging data.
                 Disk imaging software creates an exact duplicate of a disk’s contents, and can be
             used to make copies of hard disks, CDs, floppies, and other media. Disk imaging
             creates a bitstream copy, where each physical sector of the original disk is dupli-
             cated.To make it easier to store and analyze, the image is compressed into an image
             file, which is also called an evidence file.
                 Once an image of a disk has been made, the duplicate disk’s integrity should be
             confirmed. Many imaging programs have a built-in ability to perform integrity
             checks, while others require the technician to perform checks using separate pro-
             grams. Such software may use a cyclic redundancy check (CRC), using a checksum
             or hashing algorithm to verify the accuracy and reliability of the image.



          www.syngress.com