• Install write-­‐blocking software
  • Submit device or original media for traditional evidence examination
  • Proceed with investigation
    		•

    Guide To Digital




    Download 430,06 Kb.
    bet7/17
    Sana21.05.2024
    Hajmi430,06 Kb.
    #248066
    TuriGuide
    1   2   3   4   5   6   7   8   9   10   ...   17
    Bog'liq
    DigitalEvidence

    Isolate Wireless Devices: Cell phones and other wireless devices should be initially examined in an isolation chamber, if available. This prevents connection to any networks and keeps evidence as pristine as possible. The Faraday bag can be opened inside the chamber and the device can be exploited, including phone information, Federal Communications

    Commission (FCC) information, SIM cards, etc. The device can be connected to analysis software from within the chamber. If an agency does not have an isolation chamber, investigators will typically place the device in a Faraday bag and switch the phone to airplane mode to prevent reception.

    1. Install write-­‐blocking software: To prevent any change to the data on the device or media, the analyst will install a block on the working copy so that data may be viewed but nothing can be changed or added.

    2. Select extraction methods: Once the working copy is created, the analyst will determine the make and model of the device and select extraction software designed to most completely ‘parse the data,’ or view its contents.

    3. Submit device or original media for traditional evidence examination: When the data has been removed, the device is sent back into evidence. There may be DNA, trace, fingerprint, or other evidence that may be obtained from it and the digital analyst can now work without it.

    4. Proceed with investigation: At this point, the analyst will use the selected software to view data. The analyst will be able to see all the files on the drive, can see if areas are hidden and may even be able to restore organization of files allowing hidden areas to be viewed. Deleted files are also visible, as long as they haven’t been over-­‐written by new data. Partially deleted files can be of value as well.

    Files on a computer or other device are not the only evidence that can be gathered. The analyst may have to work beyond the hardware to find evidence that resides on the Internet including chat rooms, instant messaging, websites and other networks of participants or information. By using the system of Internet addresses, email header information, time stamps on messaging and other encrypted data, the analyst can piece together strings of interactions that provide a picture of activity.

    Download 430,06 Kb.
    1   2   3   4   5   6   7   8   9   10   ...   17




    Download 430,06 Kb.