Part Two: A Forensics Inquiry, Step by Step

By David Coursey  |  Posted 2004-09-15 Print this article Print

Opinion: Proper investigative technique is key to conducting a forensic investigation of a suspect computer system—including using best practices and knowing how much data to collect.

In my first column on this subject, I introduced a set of seven guidelines for IT departments when considering the forensic investigation of a suspect computer system. In part two, Ill offer seven more best practices and recommended steps to be used in conducting the actual examination. These columns started as a conversation with John Colbert, president and CEO of Guidance Software, a publisher of forensic software and a provider of professional investigative services. An ex-cop, Colbert ran the professional services business before recently becoming president of the company. Following our conversation, John was kind enough to summarize the discussion into the bullet points presented here. My hope is that this information will keep well-meaning IT staff out of trouble and encourage proper investigative technique.
If an investigation is going to be conducted by an IT professional, the following seven steps should be considered:
Using Best Practices: Enter into the investigation with the understanding that the courts rely on best practices when making a judgment regarding the admissibility of evidence. Even though the initial thought is that a simple investigation is not going to court, an unexpected discovery could change the entire direction. Thats why it is always important to follow best practices. Taking an introductory course to computer forensics would be extremely helpful to learn the basic best practices for data collection. NIST Special Publication 800-61, called the "Incident Handling Guide," provides a good overview on incident handling, including technical best practices. Click here to read about analytics and reporting products that got high marks. How Much Data Should Be Collected?: It is important to decide whether the collection will include a few files or the entire hard drive. This decision should be based upon whether other data in the computer, which most likely will be destroyed or altered if not collected now, may be needed after the investigation. If deleted files are to be recovered, it is essential to make a complete copy of the entire hard drive, unless an enterprise remote-forensic software is used. Dont forget that the files or data sought may be imbedded in database records, compression files, encrypted files, e-mail files, etc. It may not be simple to locate the files or data in question. Under these conditions, it may be wise to collect the entire drive, so a subsequent examination can take place offline. Next Page: How to preserve the data.

One of technology's most recognized bylines, David Coursey is Special Correspondent for, where he writes a daily Blog ( and twice-weekly column. He is also Editor/Publisher of the Technology Insights newsletter and President of DCC, Inc., a professional services and consulting firm.

Former Executive Editor of ZDNet AnchorDesk, Coursey has also been Executive Producer of a number of industry conferences, including DEMO, Showcase, and Digital Living Room. Coursey's columns have been quoted by both Bill Gates and Steve Jobs and he has appeared on ABC News Nightline, CNN, CBS News, and other broadcasts as an expert on computing and the Internet. He has also written for InfoWorld, USA Today, PC World, Computerworld, and a number of other publications. His Web site is

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel