Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)
      9  5.6  Computer Forensics

Previous Topic/Section
5.6.2  Preservation of Evidence
Previous Page
Pages in Current Topic/Section
1
Next Page
5.7  Risk Identification
Next Topic/Section

5.6.3  Collection of evidence

You are encouraged to follow the footnote to Electronic Crime Scene Investigation: A Guide for First Responders. Keep in mind the following points:

  • Do not power down or reboot the system.

  • Do not open files

  • Do unplug the system from the network

  • Do capture running processes and open files

  • If possible, do document current memory and swap files.

  • Do capture mail, DNS and other network service logs supporting hosts.

  • Do a complete port scan of external TCP and UDP port scans of the host.

  • Do contact senior management.

  • Where it is practical to make byte for byte copies of the physical disk without a re-boot, do so.

  • If you are making byte for byte (bit stream) copies, it is preferable to use new drives.

  • If you must use existing drives “sanitize” the drives first (low-level format) to eliminate the possibility of a virus.

  • Take pictures of internal components.

  • Document make/model/serial numbers, cable configuration and type.

  • Label evidence “bag and tag”.

  • Repeat photographic process with labels on evidence.

  • Document who, what, when (with precise time), how, and why.

  • Have evidence custodian initial each item at the scene, along with initials of worker.

  • Photograph/videotape above procedures through process to the evidence room.

  • Include hardware for specialized media, i.e., zip disks.

  • Be extra careful with battery powered devices i.e., laptops.

Previous Topic/Section
5.6.2  Preservation of Evidence
Previous Page
Pages in Current Topic/Section
1
Next Page
5.7  Risk Identification
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.