Best Practices for Computer Forensics inside the Field

Computer forensic examiners are liable for technical acuity, the expertise of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeatable pronounced outcomes that represent direct evidence of suspected wrong-doing or capacity exoneration. This article establishes a sequence of excellent practices for the computer forensics practitioner, representing the exceptional evidence for defensible solutions in the subject. Best practices themselves are meant to seize the one’s techniques which have time and again shown to achieve the success of their use. This isn’t always a cookbook. Best practices are supposed to be reviewed and carried out based totally at the unique wishes of the enterprise, the case and the case putting.

Job Knowledge

An examiner can only be so informed when they walk into a subject placing. In many instances, the client or the consumer’s representative will offer some statistics approximately what a number of structures are in the query, their specifications, and their cutting-edge nation. And just as frequently, they are seriously incorrect. This is mainly proper on the subject of hard drive sizes, cracking computer systems, password hacking, and device interfaces. A seizure that brings the system returned to the lab need to usually be the first line of protection, offering the most flexibility. If you need to perform onsite, create a comprehensive operating list of records to be gathered earlier than you hit the sphere. The list must be comprised of small steps with a checkbox for each step. The examiner has to be completely knowledgeable of their subsequent step and no longer need to “suppose on their toes.”


Overestimate attempt via at the least an aspect of two the quantity of time you’ll require to finish the process. This consists of getting access to the tool, initiating the forensic acquisition with the proper write-blocking off approach, filling out the proper office work and chain of custody documentation, copying the received files to any other tool and restoring the hardware to its initial country. Keep in thoughts that you may require shop manuals to direct you in taking apart small gadgets to get admission to the force, growing more difficulty in engaging in the purchase and hardware restoration. Live by way of Murphy’s Law. Something will constantly task you and take extra time than expected — even when you have carried out it commonly.

Inventory Equipment Most examiners have sufficient of a selection of equipment that they can carry out forensically sound acquisitions in several approaches. Decide in advance of the time the way you would love to ideally carry out your website acquisition. All people will see equipment cross terrible or a few other incompatibilities turn out to be a show-stopper at the most critical time. Consider carrying write blockers and a further mass storage pressure, wiped and prepared. Between jobs, make certain to confirm your system with a hashing exercise. Double-Check and stock all your package the use of a tick list earlier than setting out.

Flexible Acquisition

Instead of trying to make “satisfactory guesses” about the precise length of the consumer hard force, use mass storage devices and if space is an trouble, an acquisition format in order to compress your statistics. After accumulating the information, copy the statistics to any other vicinity. Many examiners limit themselves to standard acquisitions where the machine is cracked, the power eliminated, positioned in the back of a write-blocker and bought. There also are other techniques for an acquisition made available by way of the Linux working device. Linux booted from a CD pressure, allows the examiner to make a raw replica without compromising the difficult power. Be familiar sufficient with the manner to apprehend how to acquire hash values and other logs. Live Acquisition is likewise mentioned on this record. Leave the imaged power with the attorney or the client and take the replica lower back for your lab for analysis.

Pull the Plug

Heated discussion occurs about what one should do when they encounter a going for walks device. Two clear choices exist; pulling the plug or performing a smooth shutdown (assuming you can log in). Most examiners pull the plug, and that is the high-quality way to keep away from allowing any type of malevolent process from strolling that can delete and wipe information or a few other similar pitfalls. It also allows the examiner to get entry to create an image of the swap documents and different gadget statistics as it turned into ultimate running. It ought to be referred to that pulling the plug can also damage some of the documents strolling on the system, making them unavailable to examination or user get entry to. Businesses occasionally choose a smooth shutdown and have to accept the selection after being defined the effect. It is crucial to record how the gadget changed into introduced down because it might be honestly important understanding for analysis.

Live Acquisitions

Another option is to carry out a live acquisition. Some outline “stay” as a running device as it is observed, or for this motive, the machine itself will be going for walks during the acquisition in some manner. One method is beside into a customized Linux environment that includes enough support to seize a picture of the hard drive (often amongst different forensic abilities), however, the kernel is changed to never contact the host laptop. Special versions additionally exist that permit the examiner to leverage the Window’s autorun feature to perform Incident Response. These require a complicated information of both Linux and enjoy with laptop forensics. This form of acquisition is right whilst for time or complexity reasons, disassembling the system isn’t always an affordable option.

The Fundamentals

An amazingly brazen oversight that examiners often make is neglecting besides the device as soon as the difficult disk is out of it. Checking the BIOS is genuinely essential to the potential to carry out a fully-verified evaluation. The time and date said in the BIOS must be suggested, especially while time zones are a difficulty. A wealthy style of different statistics is available depending on what the producer wrote the BIOS software. Remember that force manufacturers may additionally hide sure regions of the disk (Hardware Protected Areas) and your acquisition tool ought to be able to make a full bitstream reproduction that takes that under consideration. Another key for the examiner to apprehend is how the hashing mechanism works: Some hash algorithms may be most effective to others not necessarily for their technological soundness, but for how they will be perceived in a courtroom scenario.

Store Securely

Acquired pics ought to be saved in covered, non-static surroundings. Examiners should have access to a locked secure in a locked workplace. Drives ought to be stored in antistatic baggage and guarded by means of the usage of non-static packing materials or the original transport fabric. Each pressure must be tagged with the patron call, attorney’s office, and proof variety. Some examiners copy power labels on the copy system if they have to get right of entry to one during the acquisition and this has to be stored with the case paperwork. At the give up of the day, each drive has to link up with a sequence of custody file, a task, and a proof range.

Establish a Policy

Many customers and legal professionals will push for a right away acquisition of the computer after which sit at the proof for months. Make clean with the attorney how long you’re willing to preserve the proof at your lab and fee a garage charge for essential or largescale jobs. You can be storing vital evidence to against the law or civil motion and while from an advertising perspective it could appear like a good concept to preserve a copy of the pressure, it is able to be better from the angle of the case to go back all copies to the lawyer or purchaser with the correct chain of custody documentation.


Computer examiners have many picks about how they will carry out an onsite acquisition. At the identical time, the onsite acquisition is the maximum risky surroundings for the examiner. Tools may additionally fail, time constraints may be severe, observers can also upload strain, and suspects can be the gift. Examiners want to take significantly the preservation of their tools and improvement of ongoing knowledge to analyze the fine techniques for each situation. Utilizing the nice practices herein, the examiner should be prepared for nearly any situation they may face and have the ability to set affordable desires and expectations for the effort in question.

Randall J. Lopez

Read Previous

Cybercriminals – Cowardly Thugs Hiding Behind Computer Screens

Read Next

Remote Patient Monitoring Using Mobile and Cloud Computing