|Read this whole guide offline with no ads, for a low price!|
Use coupon code "certiguide" to save 20%!
|Need more practice? 300 additional Security+ questions!|
|Get It Here!|
5.6.3 Collection of evidence
You are encouraged to follow the
footnote to Electronic Crime Scene Investigation: A Guide for First
Responders. Keep in mind the following points:
- Do not power down or reboot the system.
- Do not open files
- Do unplug the system from the network
- Do capture running processes and open files
- If possible, do document current memory and swap
- Do capture mail, DNS and other network service
logs supporting hosts.
- Do a complete port scan of external TCP and UDP
port scans of the host.
- Do contact senior management.
- Where it is practical to make byte for byte copies
of the physical disk without a re-boot, do so.
- If you are making byte for byte (bit stream)
copies, it is preferable to use new drives.
- If you must use existing drives sanitize
the drives first (low-level format) to eliminate the possibility of
- Take pictures of internal components.
- Document make/model/serial numbers, cable configuration
- Label evidence bag and tag.
- Repeat photographic process with labels on evidence.
- Document who, what, when (with precise time),
how, and why.
- Have evidence custodian initial each item at
the scene, along with initials of worker.
- Photograph/videotape above procedures through
process to the evidence room.
- Include hardware for specialized media, i.e.,
- Be extra careful with battery powered devices
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.