Web
site
Home
About C-DAC
Products
Downloads
Training
Contact Us
About C-DAC
CyberCheck
E-mailTracer
TrueBack
CyberInvestigator
TrueImager
TrueTraveller
Advik CDR Analyzer
Network Session Analyzer
MobileCheck
SIMXtractor
Win-LiFT
Win-LiFTAnalyzer
Win-LiFTImager
Friday, December 13, 2019
Home
>
Procedure
Themes:
Default
Orange
Plain
.:: Members Area ::.
User Name:
Password:
Remember Me
Forgot Password ?
Sign Up
.:: Navigation
E-MailTracer
Procedure
White Papers
Photo Gallery
.:: Featured
Press Release
Laws and Rules
FAQ
.:: Support
Help Desk
Enquiry
Request For CD
Providing Solution
Contact us
Procedure
Procedure for Computer Evidence Seizure
When a compromise of security or a unauthorized/illegal action associated with a computer is suspected, it is important that steps are taken to ensure the protection of the data within the computer and/or storage media.
The initial response to a computer security incident may be more important than later technical analysis of the computer system because of the actions taken by incident response team members. Actions taken by the incident response team impact subsequent laboratory examinations of the computer and/or media. Of most importance is that the first responder act appropriately.
In the event of a suspected computer incident, care must be taken to preserve evidence in its original state. While it may seem that simply viewing files on a system would not result in alteration of the original media, opening a file changes it. From a legal sense, it is no longer the original evidence and may be inadmissible in any subsequent legal or administrative proceedings.
The activities/procedures for securing a suspected computer incident scene include
Securing the scene
Shutting down the computer
Labeling the evidence
Documenting the evidence
Transporting the evidence
Providing chain-of-custody documentation
Securing the scene
The entire work area, office, or cubicle is a potential crime scene, not just the computer itself. The work area should be secured and protected to maintain the integrity of the scene and the storage media. While waiting for the official incident responder, no one should be allowed to touch the computer, to include shutting the computer down or exiting from any programs/files in use at the time or remove anything from the scene. All individuals at a scene should be known and briefly interviewed to determine their access to the computer and work area before asking them to leave.
Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system. It is important to remember that the data present within the storage media is potential evidence and should be treated accordingly. Any attempts to retrieve data by unqualified individuals should be avoided as these attempts could either compromise the integrity of the files or result in the files being inadmissible in legal or administrative proceedings.
Procedure for previewing and taking BitStream Backup
Photograph the Scene
If the computer is ON then photograph the screen and note down the names of programs being run.
Do not switch off the computer. Simply pull the power cord from behind the back of the computer.
Open the computer and inspect the inside for unusual connections or configuration.
Disconnect the Power cables to all the storage hard drives
Switch on the suspect computer and run the CMOS Setup routine to ensure that the computer is set to boot from floppy drive. For entering into the CMOS Setup, most of the systems will flash the correct key on the screen as the system boots. If not, the following setup keys are common:
Compaq Computers F10
IBM Computers F1
Some PC Clones Del
OR F2
OR Ctrl-Alt-Esc
OR Ctrl-Alt-Enter
Make sure that the computer is set the Boot Sequence from floppy drive. Exit the BIOS Setup, by saving the changes. Switch off the system.
Insert the BitStream Software Booting floppy into the floppy drive. Switch on the computer. Make sure system is booting with floppy.
Power off the computer and reconnect the disk drive power cables.
For Previewing
Remove the parallel port cable from the computer and connect the cable from the kit brought by the team.
Connect the other end of the cable to the PC or Notebook PC brought by the team which contains the analysis software.
Run the BitStream Software from the floppy, and make sure all the storage devices are shown and all are locked by default.
Run the server mode
Switch ON the Analysis Computer (PC bought by the team) and it as client.
Use the Analysis Software to see the content of the suspect disk.
For BitStream Copy
Connect the destination disk (bought by the team) to the free IDE port / connector and connect power cable to the destination HDD.
Turn ON the computer and allow the computer to boot from the floppy drive.
Run the BitStream Software from the floppy, and make sure all the storage devices are shown and all are locked by default.
Take the media hash of the suspect computer hard disk and note it down. This may take hours.
Unlock the destination disk
After taking the media hash value start the BitStream copying. This process will take long time to complete. Please ensure that the power will not be disturbed during this operation.
After copying is over, switch off the computer. Remove the destination disk connected to it.
Disconnect the suspect hard disk from the computer. Note down its make, model no, serial number and any noticeable things on the hard disk
Pack the suspect hard disk in a Packing Box, seal it using tapes and get it signed by the witnesses.
Documentation
Detailed notes should be maintained during all aspects of the scene processing. This not only includes the usual who, what, where, when but overall observations of the scene. A evidence/property document should contain entries with a description of the items (model and serial number), any visible markings present on the item, the condition of the item, the manner it was marked for evidence and the location from within the scene it was seized. Every item of evidence has its own characteristics, but should be identified in a manner it can be easily identified at a later date. Items should be collected as found and documented.
Handling and Transportation
Diskettes have fragile magnetic media. If they are packed loosely and allowed to strike each other repeatedly during transit, the media could be damaged and the data lost.
Hard disks should not be subjected to shocks. When transporting a CPU, devices, or media, they should not be placed in a vehicle trunk or area where there will be drastic changes in temperature.
.:: News ::.
Upcoming Training Programmes
CDAC unearthed duty-free shop scam
.:: Popular Links ::.
National Police Academy
Central Bureau of Investigation
Kerala Police
Indian Institute of Science
Directorate of Forensic Science Laboratory
.:: Downloads ::.
MobileCheck Brochure
Net Force Suite Brochure
Win-LiFT Brochure
TrueImager Brochure
TrueTraveller Brochure
Known File Hash Library
F-DAC 1.0
F-RAn 1.0
TrueBackLin
Advik CDRAnalyzer Brochure
CyberCheck Suite Brochure
PhotoExaminer Brochure
CyberCheckLite Brochure
MobileCheckPlus Brochure
.::More::.
Feedback
|
Contact Us
|
About RCCF
|Legal |For Journalists
Last Updated: Monday, December 09, 2019, © 2019 C-DAC Thiruvananthapuram. All rights reserved.
Terms of Use
|
Trademarks
|
Privacy Statement
