How It Works
While the circumstances of each case will differ, some elements are common to most computer forensic investigations. Here are some actions you should take:
- Secure the computer system to prevent it from being altered or tampered with by the investigators, third parties or automated processes such as viruses or other types of malware. Unless you can't avoid it, never analyze data using the machine it was collected from.
- Make exact, forensically sound copies of data storage devices, including all hard drives. Do not change date/time stamps or alter data itself. Do not overwrite unallocated space, which may happen when rebooting. Specialized equipment is available to speed and facilitate the forensic copying of hard drives.
- Identify and discover all files on the system, including normal files, deleted-yet-remaining files, hidden files, password-protected files and encrypted files.
- Recover deleted files as much as possible. Pay special attention to specific areas of the hard drive, including boot sectors, page files and temporary or swap files used by application programs and by the operating system. Look at unallocated space (i.e., marked as currently unused), as well as the unoccupied space at the end of a file in the last assigned disk cluster after the end-of-file marker. Either area, though not considered a part of an active file, might hold relevant data from a different file or version of a document.
- Maintain a full audit log of your activities throughout the investigation, and produce a detailed report at the end.
Kay is a Computerworld contributing writer in Worcester, Mass. You can contact him at russkay@charter.net.
Related Articles and Blogs
- See additional Computerworld QuickStudies
- So You Want to Be a Digital Detective?
- Book excerpt: File System Forensic Analysis
- Electronic discovery
- Preston Gralla: Was porn-surfing teacher wrongly found guilty?
- Alex Scoble: Got hacked? 11 things to do next