±Forensic Focus Partners
|New Today: 0||Overall: 35742|
|New Yesterday: 3||Visitors: 108|
Collecting And Preserving Electronic MediaBack to top Back to main Skip to menu
Collecting And Preserving Electronic Media
Image Copies. Most people think that by deleting a file the information contained within that file is lost. This is incorrect. When a file is deleted, the computer makes the space occupied by that file available for new data. But the bits and bytes that make up the file remain on the hard drive until they are overwritten by new data or "wiped," through the use of utility software. Deleted files and other "residual" data, which includes deleted files and fragments of deleted files, may be recovered from hard drives and many forms of removable media by making an image copy.
An evidentiary image copy duplicates the disk surface, sector-by-sector, creating an exact copy of the source drive. By recreating the deleted files, you may be able to find damaging information. In contrast, a file-by-file copy (active data) would not provide you with any of the "residual" data. This could prove to be a significant oversight.
- The layout of the computer system, including the number and types of computers.
- The structure of any network and electronic mail system(s), including software used, the number of users, the location of mail files, and password usage.
- The software packages used including the software maker, program name, version of each program, when it was installed, and whether it has been upgraded. Remember that different software packages will be used for calendars, project management, accounting, word-processing, and database management. Make sure you ask about any proprietary programs and encryption software.
- The procedures used by system users to log on to computers and into the network. This includes use of passwords, audit trails, and other security measures used to identify data created, modified, or otherwise accessed by particular users. - Whether access control lists identify which users have access to which files.
- How shared files are structured and named on the system.
- Descriptions of all devices and software used to create backups, what information is backed up, backup schedules, and tape rotation schedules.
- The process for archiving and retrieving backup media, both on and off site.
- Routines for archiving and purging different types of data.
Support Staff, Palmtops, and Notebooks. Witnesses' and parties' support staff may have produced or stored information for the witness or party. This data may include letters that were dictated to relevant parties. The staff member should be asked for a detailed account of how the respective information is stored and labeled. The data should then be requested for your review.
Each witness or party should also be asked about his or her computer usage. It is important to determine whether the witness conducts business from any computer other than the one at their desk. The witness may be able to log onto the company's network from home. If that is the case, the home computer acts just like the employee's office computer. The witness may also take work home on removable media such as thumb drives or CDs, or via email, thereby transferring relevant data to his or her home computer. Additionally, inquire about palmtop devices such as electronic address books, PDAs (such as PalmPilot and iPAQ), and multifunction phones that integrate text messaging, which in addition to storing calendar and contact information allow the user to make notes and use email. These devices may contain evidence that is not contained on the witness's standard work computer. Finally, information may be contained on a shared notebook computer.
What To Do With The Procured Data
The requests for production have necessarily yielded image copies, backup tapes, diskettes, CDs, and other media. Before anyone views or handles the evidence that has been gathered, the integrity of the media must be preserved. This involves a two-step process of write protecting and virus checking the media. Write protection prevents data from being added to the media. This guarantees that the evidence you gathered has not been altered or erased. Virus checking detects whether there are any programs that could alter the information contained on the media. If a virus is detected, record all information about it and immediately notify the party producing the media. Do not attempt to clean the media, as the process will necessarily change the evidence that was produced.
If you have collected an original hard drive or removable media, it is also critical that you do not open or otherwise work on the original media without first making a forensically sound copy. Once you have protected the media, you are ready to search.
The following information is designed to furnish you with techniques for helping to ensure the admissibility of evidence. Evidence can be deemed inadmissible if its origin is not clearly delineated. The following process will assist you in avoiding any pitfalls:
- Write protect all media before doing anything else.
- Assign each piece of media a different number.
- Virus check all media. Immediately notify the producing party of any discovered viruses.
- Virus check the drive that you are restoring the data to and make sure the drive is free from any other data. (Ideally, restoration should be to a distinct drive, dedicated to a single case).
- Assign each restored piece of media a file name that corresponds to the original number given to the media being restored (e.g., everything restored from a diskette numbered 100 should be restored to a file named "Disk 100").
- Verify that all files on the directory listing appear in the copy restored.
- Secure the source media.
- When printing a particular document, insert a distinct header or footer that gives the full directory listing for the printed document (e.g., Disk 100\corr\bingo.txt).
With the ever-growing use of computers as business and communication tools, data stored electronically is a vital source of discovery. The days of relying upon printed material are gone forever. But as with tangible evidence, it is imperative that you gather electronic media in a manner that ensures the admissibility of the evidence. This requires attorneys to develop standard protocols for acquiring, preserving, and presenting electronic media. While the technology will continue to change, the basic techniques for collecting evidence should remain consistent.