Cyber Crime and Cyber Terrorism

76
CHAPTER 7
Seizing, imaging, and analyzing digital evidence
If the computer system appears powered off, this should be first confirmed. The 
unit could be in sleep mode, or a blank screen saver could be giving the impression 
that it is powered down. All lights should be examined to see that they are not lit, 
for example, hard drive monitoring lights. If after careful examination it is consid-
ered to be in sleep mode then it should be treated as powered on, see the following 
paragraph. If it is confirmed as switched off it should not be powered on as doing 
so will immediately compromise the validity of the evidence and allow the suspect 
repudiation on the grounds that there has been interaction with the media by law 
enforcement. After ensuring that all cables, connections and system equipment has 
been labeled and recorded as previously discussed, the system and all the peripherals 
and surrounding equipment can be disconnected and seized. If the system is a laptop 
then the battery should be removed to ensure that it is entirely powered down, and 
cannot be accidently turned on.
If the computer is powered on it is considered to be “live.” Images on the screen 
should be photographed, once this has been done there are then two possible paths 
available. The computer can be turned off, to prevent any contamination of the 
evidence. If this option is chosen then it is advisable to unplug the system, or dis-
connect the battery if it is a laptop, rather than take the usual actions of shutting 
down the system from within the operating system. This is intended to not only 
limit the interaction with the live system, but also to address the possibility that the 
malicious party has set the machine to delete files on shutdown. However, turning 
off a live system can result in losing crucial ephemeral evidence stored in volatile 
RAM, for example decryption keys and remnants of conversations in chat rooms 
and on social media. The alternate approach is to acquire the contents of RAM 
from the live system by extracting a memory dump. The details of when and how 
this should be done are discussed in the RAM acquisition section which follows. 
With the RAM acquisition complete the system can be powered down in the manor 
previously described.
Finally, all equipment seized must be recorded using unique identifiers and have 
exhibit tags attached. All actions taken in the area at the time of the seizure should 
be documented. All reasonable efforts should be taken to prevent inadvertent op-
eration of equipment, e.g., placing tamper proof tape over USB ports, and as previ-
ously discussed ensuring the batteries are removed from laptops. Tamper-proof tape 
should also be used on containers to ensure that the evidence is not modified or dam-
aged during transport. Any subsequent movement of this evidence must be check-in, 
check-out documented to preserve the chain of custody.

Download 5,67 Mb.

Do'stlaringiz bilan baham: