{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Forensics-CollectEvidenceRunComputer

Forensics-CollectEvidenceRunComputer - Collecting Evidence...

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon
Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community By Todd G. Shipley, CFE, CFCE and Henry R. Reeve, Esq. SEARCH THE NATIONAL CONSORTIUM FOR JUSTICE INFORMATION AND STATISTICS
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
± This report was prepared by SEARCH, The National Consortium for Justice Information and Statistics, Francis X. Aumand III, Chairman, and Ronald P. Hawley, Executive Director. This report was produced as a product of a project funded by the Office of Juvenile Justice and Delinquency Prevention (OJJDP), Office of Justice Programs, U.S. Department of Justice, under Cooperative Agreement No. 2005-MC-CX-K021, awarded to SEARCH Group, Incorporated, 7311 Greenhaven Drive, Suite 145, Sacramento, California 95831. Contents of this document do not necessarily reflect the views or policies of the OJJDP or the U.S. Department of Justice. Copyright © SEARCH Group, Incorporated, dba SEARCH, The National Consortium for Justice Information and Statistics, 2006. Acknowledgments This primer was prepared by Todd G. Shipley, CFE, CFCE, Director of Systems Security and High Tech Crime Training for SEARCH, The National Consortium for Justice Information and Statistics, and Henry R. “Dick” Reeve, General Counsel and Deputy District Attorney, Denver, Colorado. This paper was written under the direction of the Legal Committee of the Working Group of the Internet Crimes Against Children Task Forces. SEARCH THE NATIONAL CONSORTIUM FOR JUSTICE INFORMATION AND STATISTICS 7311 Greenhaven Drive, Suite 145 Sacramento, California 95831 Phone: (916) 392-2550 Fax: (916) 392-8440 www.search.org
Background image of page 2
² The traditional method for law enforcement when dealing with the search and seizure of computers at a crime scene is to simply unplug the computer and book it into the evidence facility. From there, the investigator requests that the computer be examined by a trained digital evidence examiner. The examiner then makes a “forensically sound” copy of the computer’s hard drive(s) 1 and reviews the copy for evidence or contraband. Upon completion, the examiner reports the findings back to the investigator. Traditional Computer Search and Seizure Methodology Traditionally, computer forensics has focused on researching, develop- ing, and implementing proper techniques, tools, and methodologies to collect, store, and preserve sensitive data that is left on a system’s hard drive(s). —First Responders Guide to Computer Forensics (CERT Training and Education Handbook) 1 A forensically sound copy of a computer hard drive is one that is a bit-for-bit copy. This methodology was developed in the early days of computer forensics to ensure that the data was not changed in any way. It was developed in light of a number of considerations, including defending against later challenges in court that the investigator or examiner altered or created evidence found on the device. Since the early 1990s, this methodology has been central to law enforcement’s response in handling computers found at a crime scene. As stated in a 2001 National Institute of Justice (NIJ) publication titled
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 4
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}