Data Collection/Acquisition

Examination Process:
The steps involved for a computing investigation are summarized in the following paragraphs. While this really doesn't do the process justice, it does serve as a quick overview.

• Establish a chain of custody. Be aware at all times where any items related to the investigation are located. Use a safe or cabinet to secure items.
• Maintain the integrity of the original media. The original source of information should not be altered. a exact copy of a hard drive image would be made and that image is authenticated against the original to make sure that it is indeed exact.
• Catalog all information. This includes active, archival, and latent data. Information that has been deleted will be recovered to whatever extent possible. Encrypted information and information that is password protected is identified, as well as anything that indicates attempts to hide or obfuscate data.
• Additional sources of information are obtained, as the circumstances dictate. Firewall logs, Proxy server logs, Kerberos server logs, sign-in sheets, etc.
• The information will be analyzed and interpreted to determine possible evidence. Both exculpatory (they didn’t do it) and inculpatory (they did it) evidence is sought out. If appropriate, encrypted files and password protected files are "cracked."
• Submit a written report to the client with your findings and comments.
• If needed, provide testimony at a deposition, trial, or other legal proceeding.