Maximize the Effectiveness of Your Computer Forensic Expert and Electronic Data Evidence
Cyber Specialists, LLCBy Alan S. Miller By Michael McCort
Because electronically stored information has a dynamic nature, and the routine operation of computer and/or other electronic media systems constantly modifies or deletes that information, it is critical to address preservation issues early in cases involving any electronic evidence.
Engaging a Computer Forensics Expert prior to the composition of a Letter of Preservation of Electronic Evidence or Deposition will assist in the creation of questions that will obtain the requisite evidence in a manner that can be used most effectively in the continuation of the case.
A Computer Forensics Expert can only retrieve what resides on electronic storage media, and even then, much of the data can be manipulated and/or compromised.
To effectively recover electronic evidence, a Letter of Preservation of Electronic Evidence should be issued early in the case, containing all the requisite electronic media search requirements:
Following is a working checklist, one that a Computer Forensics Expert might use to effectuate the preservation of evidence and assist the Computer Forensics Expert in the recovery of the suspect data. This checklist can be used as part of the Letter of Preservation of Electronic Evidence and should be thoroughly addressed in deposition.
This checklist can be modified in the case of a single computer or one in a company with multiple workstations.
When accessing any media which is on a LAN (Local Area Network), extreme caution must be employed to not damage either physically or economically any part of the overall network or especially cause unnecessary network downtime.
Single PC:
Brand:
Model #:
Serial #:
Desktop: Laptop:
Hard Disk Drive Size:
Operating System: Windows, Unix/Linux, MS DOS
In/Out (I/O) Devices: Printers, JAZ or ZIP Drives, etc.
Other Devices in Use:
Who Attempted to Evaluate the PC or Hard Disk Drive?
Has Anyone Unplugged PC or Removed the Hard Disk Drive?
If Yes – Why?
Network: Local Area Network (LAN) Wide Area Network (WAN)
Configuration:
Attach Diagram:
Operating System: Windows, Unix/Linux, MS DOS
I/O Devices:
Other Devices in Use: Personal Digital Assistants (PDA's), Zip Drives, Jaz Drive, Modems, Key Logger, USB Devices, Fire Wire, Bluetooth, Wireless Local Area Network (WLAN), Wide Area Network (WAN), Local Area Network (LAN)
Is There a Company Policy/Procedure Regarding Key Loggers Hardware or Software?
Is a Key Logger Hardware or Software in Use? If Yes – Brand Name:
Off-Site Work Stations: How Many?
Servers:
Server Operating System: Windows, Unix/Linux
How Many Servers:
Identify the role of each server in the system:
File Systems: - What Type? - (FAT/NTFS)
Work Stations:
Number of Work Stations:
Is There An Incident Response Team in Place?
Has a Suspect(S) Been Identified?
Suspect(S) Scale of Known Computer Proficiency on Scale of 1 to 10? 1=Low 10=High
Possible Motivation:
Coworkers Interviewed:
Supervision Interviewed:
Prosecution Desired:
Will This End Up In Court?
Law Enforcement Agency Contacted:
LEA Advised:
LEA Contact:
Phone:
Any Unauthorized Software Found in Computer?:
Any Unauthorized Hardware:
What Steps Can Be Taken to Minimize Further Damage?
Electronic Discovery
© 2007 Cyber Specialists, LLC
