Posted: Mon Feb 08, 2016 12:25 am Post subject: Live Computer in a crime scene - how to record evidence
I am preparing for a security cert I just thought of knowing your insights in the below scenario.
Scenario - In a incident scene if you found a computer is on, what are the steps that need to be taken to record the evidence clearly and how it needs to be taken so that you don't miss out the volatile data.
I have searched on google and i was not able to find out how the data can be extracted from a live system and also wanted to know how it is done on a real time basis.
Joined: Dec 01, 2015 Posts: 19 Location: Aberdeen, Scotland
Posted: Fri Mar 04, 2016 8:13 pm Post subject:
Is it a desktop, a laptop, is it running Windows or Linux or some other OS? Is it acting as a server? Is it connected to a network? Wirelessly or cabled? Is it locked with a password? Is there a sysadmin who can help or are they all possible suspects? Is there encryption? Every single one of these will affect how the computer is taken down. And that's before we even get into the realms of authorisation to install monitoring software or seizing and removing items of possible evidence.
I think this article will be interesting for you "https://www.cleverfiles.com/howto/computer-forensic.html" I think this article will be interesting for you. In reality it is not always easy to gather data without altering the system in some way (even the act of shutting a computer down in order to transport it will most likely cause changes to the data on that system) but an experienced investigator will always strive to protect the integrity of the original data whenever possible. In order to do this, many computer forensic examinations involve the making of an exact copy of all the data on a disk.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum