This preview shows page 1. Sign up to view the full content.
Unformatted text preview: t the crime scene.
• In court, the integrity of the evidence may be in question if there are
too many people milling around.
• Document who were the last individuals to interact with the systems.
• If the crime scene does become contaminated, document it. The
contamination may not negate the derived evidence, but it will make
investigating the crime more challenging. ch10.indd 893 12/4/2009 11:39:12 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 894
The original media should have two copies created: a primary image (a control copy
that is stored in a library) and a working image (used for analysis and evidence collection). These should be timestamped to show when the evidence was collected.
Before creating these images, the investigator must make sure the new media has
been properly purged, meaning it does not contain any residual data. Some incidents
have occurred where drives that were new and right out of the box (shrink-wrapped)
contained old data not purged by the vendor.
The investigator works from the duplicate image because it preserves the original
evidence, prevents inadvertent alteration of original evidence during examination, and
allows re-creation of the duplicate image if necessary. Most media are “magnetic based,”
and the data are volatile and can be contained in the following:
• Registers and cache
• Process tables and ARP cache
• Contents of system memory
• Temporary file systems
• Data on the disk
So, great care and precision must take place to capture clues from any computer or
device. Remember that digital evidence can exist in many more devices than traditional
computer systems. PDAs, cell phones, USB jump drives, laptops, GPS devices, and
memory cards can be containers of digital evidence as well.
Acquiring evidence on live systems and those using network storage further complicates matters because you cannot turn off the system in order to make a copy of the
hard drive. Imagine the reaction you’d rec...
View Full Document
- Fall '12