These columns started as a conversation with John Colbert, president and CEO of Guidance Software, a publisher of forensic software and a provider of professional investigative services. An ex-cop, Colbert ran the professional services business before recently becoming president of the company.
Following our conversation, John was kind enough to summarize the discussion into the bullet points presented here. My hope is that this information will keep well-meaning IT staff out of trouble and encourage proper investigative technique.
If an investigation is going to be conducted by an IT professional, the following seven steps should be considered:
Using Best Practices: Enter into the investigation with the understanding that the courts rely on best practices when making a judgment regarding the admissibility of evidence. Even though the initial thought is that a simple investigation is not going to court, an unexpected discovery could change the entire direction. Thats why it is always important to follow best practices.
Taking an introductory course to computer forensics would be extremely helpful to learn the basic best practices for data collection. NIST Special Publication 800-61, called the "Incident Handling Guide," provides a good overview on incident handling, including technical best practices.
How Much Data Should Be Collected?: It is important to decide whether the collection will include a few files or the entire hard drive. This decision should be based upon whether other data in the computer, which most likely will be destroyed or altered if not collected now, may be needed after the investigation. If deleted files are to be recovered, it is essential to make a complete copy of the entire hard drive, unless an enterprise remote-forensic software is used.
Dont forget that the files or data sought may be imbedded in database records, compression files, encrypted files, e-mail files, etc. It may not be simple to locate the files or data in question. Under these conditions, it may be wise to collect the entire drive, so a subsequent examination can take place offline.