How Will the Data Be Preserved?: It is important to preserve the data in a manner that confirms it was not altered during or after collection. One method is to copy the data to a CD-ROM, though there is still an intermediary period where the data could have been altered. Another is to use commercially available computer forensic tools to collect the data. Best practices strongly favor this process. The top-of-the-line forensic tools, such as Guidance Softwares EnCase, will automatically preserve data and authenticate that it has not changed during or since collection, while also tracking chain of custody. Access to the Computer: Will the computer be accessed physically or through the network? If the computer is going to be accessed physically, the hard drive can be removed and copied. Most computer forensic investigators use forensic write-blocking devices when this process is chosen.
Turn the computer off. (Computer forensic experts have significant training on when and how to power off computers depending on the operating system and the state of the machine.)
Photograph the exterior and attached devices.
Inspect and document the exterior.
Inspect and document the interior.
Document the details of the hard drive(s).
Use a trusted computer and a freshly wiped and formatted hard drive for the collection.
Connect the drive(s) to a write-blocking device, if available.
Copy the data from the hard drive(s) to the newly formatted hard drive. Or create an evidence file with the forensic software.
After the copy is complete, verify the integrity of the copied data. This is done by taking before and after MD5 hash values. Forensic software does this automatically.
Replace the hard drive in the computer, and complete any documentation.
If the computer is going to be accessed remotelythrough the networkthere is a very good chance that the date and time stamps for the files will be altered in the process. There is only one network-enable computer forensic tool available that can collect the data in a forensic manner, which is Guidance Softwares EnCase Enterprise Edition. For more insights from David Coursey, check out his Weblog. Examine the Data: After the data has been collected, it should be examined. If the examination takes place prior to the collection, the metadata of the file may be altered and permanently destroyed. This is especially true for live systems. Do not examine the original collected data if it is in raw format. The metadata will be permanently altered. Work from a copy, or use a forensic tool that makes an evidence file that prevents any changes whatsoever. Best practices today strongly favor using a forensic tool. Report or Present the Findings: Whether the information was found or not, a report should be prepared documenting the findings or lack thereof, unless otherwise directed by management or legal counsel. Some computer forensic tools have a reporting mechanism to aid in this step. Archive the Data: Copy the data and any associated electronic findings to CD-Rom, DVD or digital tape. Label the storage media appropriately. Store it in a safe, secure environment until authorized to destroy it. There you have the 14 guidelines, best practices and steps an IT staff should follow in conducting an investigation. As I said, its my hope this information will fall into the hands of everyone who might someday be asked to "look into" someones computer and doesnt really understand what that process entails. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.