Ques: Develop a procedure for systematically examining a crime scene for
digital evidence.
During a live investigation, there are two certain goals:
1. We need to ensure that there has been an incident. 2. Retrieve all the possible live volatile data. If the power has been then the data is lost or corrupted. To ensure a systematic examination of the crime scene for digital evidence there are certain steps that can be followed: 1. Initial entrance to the crime scene: When the investigator enters the crime scene, they need to obtain enough information to determine the appropriate response that can ascertain the best results. The investigators need to consider the totality of the circumstances. Investigators must learn everything before responding or proceeding with the criminal case. 2. Ensure the safety of the Officer: It is important to the officers are in complete safety before proceeding towards collecting and recording the digital evidence. The crime scene also needs to be protected. The suspect can be armed and could harm the officers. 3. Separation of the suspect from the computer: The suspect could easily corrupt or remove the data. The suspect has the ultimate access to the computer or the electronic device. This is extremely important so as to maintain the integrity of the data. The officers should immediately put some distance between the suspect and the computer 4. Look and collect all the removable media Any data needs to be removed from the crime scene. Volatile system data needs to be protected as it may be corrupted or lost after the power is turned off. During the removal of the evidence, it is extremely necessary to obtain all the information. The removal and collection of data should be done with extreme caution. While handling trusted files on a CD the investigator needs to respond quickly, professionally and successfully. During the removal of the evidence, the following steps are required:
- Save the retrieved data to the hard drive
- Record the data in the notebook by hand - Save data onto the response floppy disk or any removable storage medium - Save data on a remote system using net or cryptcat
5. Collect all the written passwords:
If the computer was used to hack into a network password file, the investigator will know to look for password cracking software and password files. It is important to be on a lookout for the passwords. Forensic software tools and methods can be used to identify passwords, logins, and other information that is automatically dumped from the computer memory as a transparent operation of today’s popular personal computer operating systems. 6. Evidence of the network: The network port or modem used in the transmission of the data or any communication device is also very important evidence. The communication device should be disconnected from the system as quickly as possible. However, disconnecting a system from a live network /communications session presents some risks. Firstly, if the system is connected to a co-conspirator in some way, the disconnection of the communications without warning may alert members of the gang to the fact that something untoward has happened. This may give them time to destroy evidence of their own involvement before they have been identified Secondly, it is possible for any system to detect loss of communications and commence action ranging from deletion of data to, in theory, triggering an explosive device. Finally, in the case of mobile phones, switching the phone off to remove it from the network causes the phone to change internal data which might have been useful to the investigation. It is better when at all possible, to seek advice from a specialist about how to deal with live communications, but if this is not possible, accurate recording of the actions taken should allow the laboratory-based digital evidence examiner to account for any anomalies caused by actions taken in the field.