[Company Logo Image]Data Forensics Engineering

Policies

 

 

Home Up

 

 

 

Data Forensic Policies for Evidence Collection

    Preservation

  •    Collect all information and computers for preservation from the authorized custodian and store securely  

  •     Create a chain of custody and document everything pertaining to the evidence 

  •     Create an evidentiary copy of  the hard drive using approved  and  tested computer forensic software

  •     Always use sanitized media  to store the evidence. 

    Documentation

  •     Document all procedures and chain of custody

  •     Documentation of  all steps performed to gather evidence is a critical  and  integral part of any investigation

    Trust

  •    Never trust the subject's operating system or network

  •    Never log on to or boot up a subject's original operating system

  •     If the subject's operating system is turned on:

        record everything and disconnect the system in an appropriate method depending on OS and computer

Forensics Workstation Validation

  • Install the operating system with all service packs, Virus protection and forensic software
  • Backup image of the operating system
  • Connect  target test drive to write block
  • verify HPA
  • MD5 hash target hard drive
  • Image hard drive with approved forensics software
  • Verify image and compute md5 hash for image 
  • Shut down the computer
  • Restart the computer and compute new MD5 hash
  • All MD5 hashes should match
  • Complete this procedure for all write block devices and record your findings 
  • Each step should be documented in working notes.  

 

 

 

Send mail to  info@dataforensicsengineering.com with questions or comments about this web site.
Copyright © 2005 Data Forensics Engineering
Last modified: December 11, 2005