Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

You now have enough information to build a step-by-step guide for the collection of the evidence. Once again, this is only a guide—you should customize it to your specific situation. You should perform the following collection steps:

1. Find the evidence

2. Find the relevant data

3. Create an Order of Volatility

4. Remove external avenues of change

5. Collect the evidence

6. Document everything

Find the Evidence

Determine where the evidence you are looking for is stored. Use a checklist—not only does it help you to collect evidence but it also can be used to double-check that everything you are looking for is there.

Find the Relevant Data

Once you’ve found the evidence, you must figure out what part of it is relevant to the case. In general, you should err on the side of over-collection, but you must remember that you have to work fast—don’t spend hours collecting information that is obviously useless.

Create an Order of Volatility

Now that you know exactly what to gather, work out the best order in which to gather it. The Order of Volatility for your system is a good guide, and ensures that you minimize loss of uncorrupted evidence.

Remove External Avenues of Change

It is essential that you avoid alterations to the original data, and prevention is always better than a cure. Preventing anyone from tampering with the evidence helps you to create as exact an image as possible. However, you have to be careful—the attacker may have been smart and left a dead-man switch. In the end, you should try and do as much as possible to prevent changes.

Collect the Evidence

You can now start to collect the evidence using the appropriate tools for the job. As you go, reevaluate the evidence you’ve already collected. You may find that you missed something important. Now is the time to make sure you get it.

Document Everything

Your collection procedures may be questioned later, so it is important that you document everything that you do. Timestamps, digital signatures, and signed statements are all important—don’t leave anything out!