CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)       9  5.6  Computer Forensics

5.6.2  Preservation of Evidence 1 5.7  Risk Identification

You are encouraged to follow the footnote to Electronic Crime Scene Investigation: A Guide for First Responders. Keep in mind the following points:

• Do not power down or reboot the system.
  
  
• Do not open files
  
  
• Do unplug the system from the network
  
  
• Do capture running processes and open files
  
  
• If possible, do document current memory and swap files.
  
  
• Do capture mail, DNS and other network service logs supporting hosts.
  
  
• Do a complete port scan of external TCP and UDP port scans of the host.
  
  
• Do contact senior management.
  
  
• Where it is practical to make byte for byte copies of the physical disk without a re-boot, do so.
  
  
• If you are making byte for byte (bit stream) copies, it is preferable to use new drives.
  
  
• If you must use existing drives “sanitize” the drives first (low-level format) to eliminate the possibility of a virus.
  
  
• Take pictures of internal components.
  
  
• Document make/model/serial numbers, cable configuration and type.
  
  
• Label evidence “bag and tag”.
  
  
• Repeat photographic process with labels on evidence.
  
  
• Document who, what, when (with precise time), how, and why.
  
  
• Have evidence custodian initial each item at the scene, along with initials of worker.
  
  
• Photograph/videotape above procedures through process to the evidence room.
  
  
• Include hardware for specialized media, i.e., zip disks.
  
  
• Be extra careful with battery powered devices i.e., laptops.

5.6.2  Preservation of Evidence 1 5.7  Risk Identification