Some incidents have occurred where drives that were

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: t the crime scene. • In court, the integrity of the evidence may be in question if there are too many people milling around. • Document who were the last individuals to interact with the systems. • If the crime scene does become contaminated, document it. The contamination may not negate the derived evidence, but it will make investigating the crime more challenging. ch10.indd 893 12/4/2009 11:39:12 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 894 The original media should have two copies created: a primary image (a control copy that is stored in a library) and a working image (used for analysis and evidence collection). These should be timestamped to show when the evidence was collected. Before creating these images, the investigator must make sure the new media has been properly purged, meaning it does not contain any residual data. Some incidents have occurred where drives that were new and right out of the box (shrink-wrapped) contained old data not purged by the vendor. The investigator works from the duplicate image because it preserves the original evidence, prevents inadvertent alteration of original evidence during examination, and allows re-creation of the duplicate image if necessary. Most media are “magnetic based,” and the data are volatile and can be contained in the following: • Registers and cache • Process tables and ARP cache • Contents of system memory • Temporary file systems • Data on the disk So, great care and precision must take place to capture clues from any computer or device. Remember that digital evidence can exist in many more devices than traditional computer systems. PDAs, cell phones, USB jump drives, laptops, GPS devices, and memory cards can be containers of digital evidence as well. Acquiring evidence on live systems and those using network storage further complicates matters because you cannot turn off the system in order to make a copy of the hard drive. Imagine the reaction you’d rec...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online