Unformatted text preview: team or company may commonly come up with their
own steps, but all should be essentially accomplishing the same things:
Figure 10-2 fills in many of the steps that take place in each phase of the investigation process.
NOTE The principles of criminalistics are included in the forensic
investigation process. They are identification of the crime scene, protection of
the environment against contamination and loss of evidence, identification
of evidence and potential sources of evidence, and the collection of evidence.
In regard to minimizing the degree of contamination, it is important to
understand that it is impossible not to change a crime scene—be it physical
or digital. The key is to minimize changes and document what you did and
why, and how the crime scene was affected.
During the examination and analysis process of a forensics investigation, it is
critical that the investigator works from an image that contains all of the data from
the original disk. It must be a bit-level copy, sector by sector, to capture deleted files,
slack spaces, and unallocated clusters. These types of images can be created through
the use of a specialized tool such as FTK Imager, EnCase, Safeback, or the -dd Unix
utility. A file copy tool does not recover all data areas of the device necessary for examination. ch10.indd 892 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 893 Figure 10-2 Characteristics of the different phases through an investigation process Controlling the Crime Scene
Whether the crime scene is physical or virtual, it is important to control who
comes in contact with the evidence of the crime to ensure its integrity. The following are just some of the steps that should take place to protect the crime scene:
• Only allow authorized individuals access to the scene. These folks
should have knowledge of basic crime scene analysis.
• Document who is a...
View Full Document