|
Seizing Stand Alone Computers and Equipment
|
| bet | 6/17 | | Sana | 21.05.2024 | | Hajmi | 430,06 Kb. | | #248066 | | Turi | Guide |
Bog'liq DigitalEvidenceSeizing Stand Alone Computers and Equipment: To prevent the alteration of digital evidence during collection, first responders should first document any activity on the computer, components, or devices by taking a photograph and recording any information on the screen. Responders may move a mouse (without pressing buttons or moving the wheel) to determine if something is on the screen. If the computer is on, calling on a computer forensic expert is highly recommended as connections to criminal activity
may be lost by turning off the computer. If a computer is on but is running
destructive software (formatting, deleting, removing or wiping information), power to the computer should be disconnected immediately to preserve whatever is left on the machine.
Office environments provide a challenging collection situation due to networking, potential loss of evidence and liabilities to the agency outside of the criminal investigation. For instance, if a server is turned off during seizure that is providing a service to outside customers, the loss of service to the customer may be very damaging. In addition, office equipment that could contain evidence such as copiers, scanners, security cameras, facsimile machines, pagers and caller ID units should be collected.
Computers that are off may be collected into evidence as per usual agency digital evidence procedures.
How and Where the Analysis is Performed
Exploiting data in the laboratory: Once the digital evidence has been sent to the laboratory, a qualified analyst will take the following steps to retrieve and analyze data:
Prevent contamination: It is easy to understand cross contamination in a DNA laboratory or at the crime scene, but digital evidence has similar issues which must be prevented by the collection officer. Prior to analyzing digital evidence, an image or work copy of the original storage device is created. When collecting data from a suspect device, the copy must be stored on another form of media to keep the original pristine. Analysts must use ‘clean’ storage media to prevent contamination—or the introduction of data from another source. For example, if the analyst was to put a copy of the suspect device on a CD that already contained information, that
information might be analyzed as though it had been on the suspect device. Although digital storage media such as thumb drives and data cards are reusable, simply erasing the data and replacing it with new evidence is not sufficient. The destination storage unit must be new or, if reused, it must be forensically ‘wiped’ prior to use. This removes all content, known and unknown, from the media.
|
| |
