Page 659 - StudyBook.pdf
P. 659

Operational and Organizational Security: Incident Response • Chapter 11  643

                    When ready to perform an examination, copies of data should be made on
                 media that is forensically sterile, which means that the disk has no other data on it
                 and no viruses or defects.This prevents mistakes involving data from one case
                 mixing with other data, as can happen with cross-linked files or when copies of
                 files are mixed with others on a disk.When providing copies of data to investiga-
                 tors, defense lawyers, or the prosecution, the media used to distribute copies of evi-
                 dence should also be forensically sterile.
                    While the situations involving each type of computer equipment will be dif-
                 ferent, there are a number of common steps that can be followed to protect the
                 integrity and prevent the loss of evidence.These procedures assume the computer
                 was shut down when you encountered it.
                      1. Photograph the monitor screen(s) to capture the data displayed there at
                         the time of seizure. Be aware that more than one monitor can be con-
                         nected to a single computer; modern OSes such as Windows 2000 and
                         Windows XP support spreading the display across as many as ten moni-
                         tors. Monitors attached to the computer but turned off could still be dis-
                         playing parts of the desktop and open applications.
                      2. Take steps to preserve volatile data.

                      3. Make an image of the disk(s) to work with so that the integrity of the
                         original can be preserved.This step should be taken before the system is
                         shut down, in case the owner has installed a self-destruct program to acti-
                         vate on shutdown or startup.

                      4. Check the integrity of the image to confirm that it is an exact duplicate,
                         using a CRC or other program that uses a checksum or hashing algorithm
                         to verify that the image is accurate and reliable.
                      5. Shut down the system safely according to the procedures for the OS that
                         is running.

                      6. Photograph the system setup before moving anything, including the back
                         and front of the computer showing where the cables and wires are
                         attached.

                      7. Unplug the system and all peripherals, marking/tagging each piece as it is
                         collected.

                      8. Use an antistatic wrist strap or other grounding method before handling
                         equipment, especially circuit cards, disks, and other similar items.






                                                                              www.syngress.com
   654   655   656   657   658   659   660   661   662   663   664