Operational and Organizational Security: Incident Response • Chapter 11  645

                         5. Close the command prompt window.






                 Collection of Evidence

                 Collection is the practice of identifying, processing, and documenting evidence.
                 When collecting evidence, always start by identifying what evidence is present and
                 where it is located. For example, if someone breaks into a server room and changes
                 permissions on the server, the room and server would be where to find evidence.
                 To establish this, the scene is secured, preventing others from entering the area and
                 accessing the evidence. If the area was not secured, suspects could enter the area
                 and alter or contaminate evidence. For example, if fingerprints are being taken to
                 determine who broke into a server room, merely touching the door and other
                 items in the room would distort any findings. Maybe the perpetrator left the fin-
                 gerprints during the process of breaking in, or maybe they were left by someone
                 else when the crime scene was insecure.
                    Once the evidence present is identified, investigators are then able to identify
                 how the evidence can be recovered. Evidence on computers can be obtained in a
                 variety of ways, from viewing log files to recovering the data with special software
                 such as the following:

                      ■  SafeBack SafeBack has been marketed to law enforcement agencies since
                         1990 and used by the FBI and the Criminal Investigation Division of the
                         Internal Revenue Service (IRS) to create image files for forensics exami-
                         nation and evidentiary purposes. It is capable of duplicating individual par-
                         titions or entire disks of virtually any size, and the image files can be
                         transferred to Small Computer System Interface (SCSI) tape units or
                         almost any other magnetic storage media. SafeBack contains CRC func-
                         tions to check the integrity of the copies, and date and timestamps to
                         maintain an audit trail of the software’s operations.The vendor also pro-
                         vides courses to train forensics specialists in the use of the software, pro-
                         viding computer evidence in court, and policy management and risk
                         analysis. (The company does not provide technical support to individuals
                         who have not undergone this training.) SafeBack is DOS-based and can
                         be used to copy DOS,Windows, and UNIX disks on Intel-compatible sys-
                         tems. Images can be saved as multiple files for storage on CDs or other





                                                                              www.syngress.com