Multiple computers may indicate a network. Likewise, computers located at businesses are often networked. In these situations, specialised knowledge about the system is often required to effectively recover evidence and reduce your liability. When networks are encountered, contact your computer forensic expert for assistance.
A ‘stand-alone’ personal computer is a computer not connected to a network or other computer. These may be desktop machines or laptops.
Laptops incorporate a computer, monitor, keyboard, and mouse into a single portable unit. Laptops differ from other computers in that they can be powered by electricity or a battery source therefore they require the removal of the battery in addition to stand-alone power-down procedures. If the computer is on, document existing conditions and contact your expert. If an expert is not available, continue with the following procedure:
After securing the scene, read all steps below before taking any action (or evidentiary integrity may be lost).
a. Record in notes all actions you take and any changes that you observe in the monitor, computer, printer, or other peripherals that result from your actions.
b. Observe the monitor and determine if it is on, off, or in sleep mode. Then decide which of the following situations applies and follow the steps for that situation.
condition 1: Monitor is on and last activity and/or desktop is visible.
1. Photograph screen and record information displayed.
2. Proceed to step c).
condition 2: Monitor is on and screen is blank (sleep mode) or screensaver is visible.
1. Move the mouse slightly (without pushing buttons). The screen should change and show last activity or request a password.
2. If mouse movement does not cause a change in the screen DO NOT perform any other keystrokes or mouse operations.
3. Photograph the screen and record the information displayed.
4. Proceed to step c).
condition 3: Monitor is off.
1. Make a note of ‘off’ status.
2. Turn the monitor on, then determine if the monitor status is as described in either situation 1 or 2
above and follow those steps.
c) Regardless of the power state of the computer (on, off, or sleep mode), remove the power cable from the computer NOT from the wall socket. If dealing with a laptop, in addition to removing the power cord, remove the battery. The battery is removed to prevent any power to the system. Some laptops have a second battery in the multipurpose bay instead of a floppy or CD drive. Check for this and remove that battery as well.
* check for outside connectivity (e.g. telephone modem, cable, ISDN, DSL, wireless). If a telephone connection is present, attempt to identify the telephone number.
* to avoid damage to potential evidence, remove any floppy diskettes that are present, package the diskette separately, and label the package. If available, insert either a forensic boot disk or a blank floppy disk. Do NOT remove CDs or touch the CD drive.
* place tape over all the drive slots and over the power connector.
* record make, model, and serial number.
* photograph and sketch the connections of the computer and corresponding cables.
* label all connectors and cable ends (including connections to peripheral devices) to allow for exact reassembly at a later time. Label unused connection ports as ‘unused’. Identify laptop computer docking stations in an effort to identify other storage media.
* record or log evidence according to your procedures.
* if transport is required, package the components carefully.
principle: Computer evidence, like all other evidence, must be handled carefully and in a manner that preserves its evidential value. This relates not just to the integrity of an item or device, but also to the electronic data it contains. Certain types of computer evidence therefore require special collection, packaging, and transportation. Consideration should be given to protect data that may be susceptible to damage or alteration from electromagnetic fields such as those generated by static electricity, magnets, radio transmitters, and other devices.
policy: Electronic evidence should be collected according to your organizational guidelines. In the absence of guidelines outlining procedures for electronic evidence collection, the following procedures are recommended.
Note: Prior to collection of evidence, it is assumed that locating and documenting has been done as previously described. Appreciate that other types of evidence such as DNA, or fingerprints may exist.
Data recovery Salon welcomes your comments and share with us your ideas, suggestions and experience. Data recovery salon is dedicated in sharing the most useful data recovery information with our users and only if you are good at data recovery or related knowledge, please kindly drop us an email and we will publish your article here. We need to make data recovery Salon to be the most professional and free data recovery E-book online.