The victim computer and its elements are vital evidence sources in a computer forensic investigation. Collect all the electronic devices or any other media found at the crime scene. Seize storage devices like hard drives, memory cards, and removable media as they can have stored information. Handheld devices like smart phones, mobile phones, PDAs, digital multimedia devices, and GPS receivers can have valuable evidence information like Internet browsing history, e-mails, chat logs and friend lists, pictures and image files, financial records, etc.
The peripheral devices themselves are potential evidence. Information stored in the device such as scanned or printed documents, incoming and outgoing phone and fax numbers, and information about device usage can all contain valuable evidence.
To preserve the integrity of the physical evidence, handle all the pieces of evidence collected carefully. Tag all the objects identified as evidence, and mention all the required details on the tag, such as the time, date, investigator’s name, and control number.
The physical evidence should include:
- Removable media
- Cables
- Publications
- All computer equipment including peripherals
- Items taken from the trash
- Miscellaneous items
Related Product : Computer Hacking Forensic Investigator
Dealing with Powered On Computers
Electronic evidence is versatile in nature and easily broken during collection, preservation, and analysis, Therefore, act with caution to prevent damage.
Dealing with Powered Off Computers
At this point of the investigation, do not change the state of any electronic devices or equipment:
- If it is switched OFF, leave it OFF
If a monitor is switched OFF and the display is blank:
- Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes.
- Photograph the screen.
If a monitor is switched ON and the display is blank:
- Move the mouse slightly.
- If the screen does not change, do not perform any other keystroke.
- Photograph the screen.
Dealing with Networked Computer
If the victim’s computer has an Internet connection, the first responder must follow the following procedure in order to protect the evidence:
- Unplug the network cable from the router and modem because the internet connection can make it vulnerable to further attack.
- Do not use the computer for evidence search because it may alter or change the integrity of the existing evidence.
- Photograph all the devices connected to the victim’s computer, especially router and modem, and take photographs of the computer from different angles. If any devices are present near the victim computer such as a printer or scanner, take photographs of those devices.
- If the computer is OFF, leave it OFF.
- If the computer is ON, take a photograph of the screen.
- If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen.
- Unplug all the cords and devices connected to the computer and label them for later identification.
- Unplug the main power cord from the wall socket.
- Pack the collected electronic evidence properly and place it in a static-free bag.
- Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence.
- Document all the steps that are involved in searching and seizing the victim’s computer for later investigation.
Also Read : Planning the Search and Seizure of investigation
Dealing with Open Files and Startup Files
When a computer crime occurs through malware attack, the malware creates some files. To run the malicious code, the malware creates some files in the startup folders for Windows operating systems and in the rc.local file folder for Linux operating systems. First responders can get vital information from these files. Use the Is command for the Linux operating system.
Operating System Shutdown Procedure
First responders have to make a vital decision at the time of shutting down the computer system because it is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files. In most cases, the type of operating system is a key in making this decision. Different operating systems have different shutdown procedures. Some of the operating systems directly shut down by simply unplugging the power cord from the wall socket without losing any files. However, for some operating systems, first responders have to follow the predefined shutdown procedure; otherwise, data may be lost or the hard drives may crash.
The first responder must follow the following procedures to shut down the operating system:
Windows 7, Windows XP, Windows Vista, Windows Server 2008, Windows Server 2003 operating system:
- Take a photograph of the screen
- If any program is running, give a brief explanation
- Unplug the power cord from the wall socket
MAC OS X Operating System:
- Record the time from the menu bar
- Click Special Shutdown
- Unplug the power cord from the wall socket
Preserving Electronic Evidence
The points to remember while preserving the electronic evidence are:
- Document the actions and changes that you observe on the monitor, system, printer, or other electronic devices.
- Verify that the monitor is ON, OFF, or in sleep mode.
- Remove the power cable, depending on the power state of the computer, i.e., ON, OFF, or in sleep mode.
- Do not turn ON the computer if it is in the OFF state.
- Take a photo of the monitor screen if the computer is in the ON state.
- Check the connections of the telephone modem, cable, ISDN, and DSL.
- Remove the power plug from the router or modem.
- Remove any portable disks that are available at the scene to safeguard potential evidence
- Keep the tape on drive slots and the power connector.
- Photograph the connections between the computer system and the related cables, and label them individually.
- Label every connector and cable connected to the peripheral devices.
Computer Forensics Investigation Methodology
Evidence is fragile data that is easy to manipulate, alter, and destroy. Therefore, attackers are always looking for ways to damage it in every possible way. This section will discuss the process of storing the evidence in a secure manner.
Questions related to this topic
- Is my router infected with malware?
- Can someone hack your modem?
- How do you know if your computer has been hacked?
- Can your computer be hacked through WIFI?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com