Ques: Develop a procedure for systematically examining a crime scene for

digital evidence.

During a live investigation, there are two certain goals:

1. We need to ensure that there has been an incident.
2. Retrieve all the possible live volatile data. If the power has been then the data is
lost or corrupted.
To ensure a systematic examination of the crime scene for digital evidence there are
certain steps that can be followed:
1. Initial entrance to the crime scene:
When the investigator enters the crime scene, they need to obtain enough
information to determine the appropriate response that can ascertain the best
results. The investigators need to consider the totality of the circumstances.
Investigators must learn everything before responding or proceeding with the
criminal case.
2. Ensure the safety of the Officer:
It is important to the officers are in complete safety before proceeding towards
collecting and recording the digital evidence. The crime scene also needs to be
protected. The suspect can be armed and could harm the officers.
3. Separation of the suspect from the computer:
The suspect could easily corrupt or remove the data. The suspect has the ultimate
access to the computer or the electronic device. This is extremely important so as to
maintain the integrity of the data. The officers should immediately put some distance
between the suspect and the computer
4. Look and collect all the removable media
Any data needs to be removed from the crime scene. Volatile system data needs to
be protected as it may be corrupted or lost after the power is turned off. During the
removal of the evidence, it is extremely necessary to obtain all the information. The
removal and collection of data should be done with extreme caution. While handling
trusted files on a CD the investigator needs to respond quickly, professionally and
successfully. During the removal of the evidence, the following steps are required:

- Save the retrieved data to the hard drive

- Record the data in the notebook by hand
- Save data onto the response floppy disk or any removable storage
medium
- Save data on a remote system using net or cryptcat

5. Collect all the written passwords:

If the computer was used to hack into a network password file, the investigator will
know to look for password cracking software and password files. It is important to be
on a lookout for the passwords. Forensic software tools and methods can be used to
identify passwords, logins, and other information that is automatically dumped from
the computer memory as a transparent operation of today’s popular personal
computer operating systems.
6. Evidence of the network:
The network port or modem used in the transmission of the data or any
communication device is also very important evidence. The communication device
should be disconnected from the system as quickly as possible. However,
disconnecting a system from a live network /communications session presents some
risks.
Firstly, if the system is connected to a co-conspirator in some way, the
disconnection of the communications without warning may alert members of the
gang to the fact that something untoward has happened. This may give them time to
destroy evidence of their own involvement before they have been identified
Secondly, it is possible for any system to detect loss of communications and
commence action ranging from deletion of data to, in theory, triggering an explosive
device.
Finally, in the case of mobile phones, switching the phone off to remove it from the
network causes the phone to change internal data which might have been useful to
the investigation. It is better when at all possible, to seek advice from a specialist
about how to deal with live communications, but if this is not possible, accurate
recording of the actions taken should allow the laboratory-based digital evidence
examiner to account for any anomalies caused by actions taken in the field.