This preview shows page 1. Sign up to view the full content.
Unformatted text preview: lysis on this
copy. Working on the copy instead of the original drive will ensure that the evidence
stays unharmed on the original system in case some steps in the investigation actually
corrupt or destroy data. Dumping the memory contents to a file before doing any work
on the system or powering it down is a crucial step because of the information that
could be stored there. This is another method of capturing fragile information. However, this creates a sticky situation because capturing RAM or conducting live analysis
can introduce changes to the crime scene because various state changes and operations
take place. Whatever method the forensic investigator chooses to collect digital evidence must be documented. This is the most important aspect of evidence handling.
NOTE The forensics team needs specialized tools, an evidence collection
notebook, containers, a camera, and evidence identification tags. The notebook
should not be a spiral notebook but rather a notebook that is bound in a way
that one can tell if pages have been removed. International Organization on Computer Evidence
When we covered laws earlier in the chapter, we discussed how important it is to standardize different countries’ attitudes and approaches to computer crime since computer crimes often take place over international boundaries. The same thing is true with
forensics. Thus, digital evidence must be handled in a similarly careful fashion so it can
be used in different courts, no matter what country is prosecuting a suspect. The International Organization on Computer Evidence (IOCE) was created to develop international principles dealing with how digital evidence is to be collected and handled so
various courts will recognize and use the evidence in the same manner. State-side, we
have the Scientific Working Group on Digital Evidence (SWDGE), which also aims to
ensure consistency across the forensic community. The principles developed by IOCE
and SWDGE for the standardized recovery of computer-based evidence are...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12