Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Forensic Procedures - Study Material | CIT 3853, Study notes of Forensics

Material Type: Notes; Professor: Jones; Class: COMPUTER FORENSICS; Subject: Computer and Information Tech; University: Arkansas State University; Term: Unknown 1989;

Typology: Study notes

Pre 2010

Uploaded on 07/23/2009

koofers-user-6y9-1
koofers-user-6y9-1 🇺🇸

10 documents

1 / 3

Related documents


Partial preview of the text

Download Forensic Procedures - Study Material | CIT 3853 and more Study notes Forensics in PDF only on Docsity! Forensic Procedures Forensic Examination of Computers and Digital and Electronic Media IACIS® has established the following as a guide for forensic computer and digital evidence examinations. All computer and digital media examinations are different: The examiner must consider the totality of the circumstances as he/she proceeds. So, then, not all components here may be needed in every situation, and examiners may need to adjust to unusual or unexpected conditions in the field. Cases involving computers and other electronic devices are borderless. Multiple jurisdictions and agencies may be involved in investigative and analytical activities, and each agency or jurisdiction may employ specific procedures. This document, then, is not intended to supercede or conflict with jurisdiction or agency policies or procedures. Rather it is a foundation document that outlines general principles. Guide for Forensic Examinations Computer system components and other electronic devices (including digital and electronic media) are items of evidence just like any other items of evidence. As such it is incumbent upon the examiner to follow agency procedures for documenting the receipt and handling of the items. The computer system and/or the media should be examined physically and an inventory of hardware components noted. Documentation should include a physical description and detailed notation of any irregularities, peculiarities, identifying markings, and numberings. When examining a computer the system date and time should be collected, preferably from the BIOS setup. The date and time should be compared to a reliable known time source and any differences noted. If the BIOS setup information is accessible then drive parameters and boot order should be noted. Depending on the BIOS other information such as system serial numbers, component serial numbers, hardware component hashes, etc. should be noted. Examination of media should be conducted in a forensically sound examination environment. A forensically sound examination environment is one which is completely under the control of the examiner: No actions are taken without the examiner permitting them to happen; and when the examiner permits or causes an action he/she can predict with reasonable certainty what the outcome of the action will be. Examiners may choose to employ a forensically sound operating system. The use of physical write-blocking devices or software write-blocking devices may be used in operating system environments that are not forensically sound. Conducting an examination on the original evidence media should be avoided. Rather, examinations should be conducted on a forensic copy of the original evidence, or via forensic evidence files. Properly prepared media should be used when making forensic copies to insure no commingling of data from different cases. Properly prepared media is that which has been completely overwritten with a known character. Regardless of whether the examiner performs a direct device–to-device copy of the media or creates forensic evidence copies for examination or restoration, the copy process should be forensically sound. Examination of the media should be completed logically and systematically by starting where the data of evidentiary value is most likely to be found. These locations will vary depending on the nature and scope of the case. Examples of items to be noted might include:  If the media is a hard drive the number and type of partitions should be noted.  If the media is an optical disc then the number of sessions should be noted.  File systems on the media should be noted.  A full directory listing should be made to include folder structure, filenames, date/time stamps, logical file sizes, etc..  Installed operating systems should be noted.  User created files should be examined using native applications, file viewers, or hex viewers. This includes such files as text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound and other multimedia files, etc..  Operating system files and application created files should be examined, if present. This would include, but is not limited to: Boot files, registry files, swap files, temporary files, cache files, history files, log files, etc..  Installed applications should be noted.  File hash comparisons may be used to exclude or include files for examination.  Unused and unallocated space on each volume should be examined for previously deleted data, deleted folders, slack space data, intentionally placed data. Previously deleted filenames of apparent evidentiary value should be noted. Files may be automatically carved out of the unallocated portion of the unused space based upon known file headers.  Keyword searches may be conducted to identify files or areas of the drive that might contain data of evidentiary value and to narrow the examination scope.
Docsity logo



Copyright © 2024 Ladybird Srl - Via Leonardo da Vinci 16, 10126, Torino, Italy - VAT 10816460017 - All rights reserved