|Four Rules for Investigators
||[Jan. 6th, 2011|09:51 am]
For my Crash Course in Computer Forensics I came up with four rules to keep investigators out of big trouble. Obviously it's still possible to mess up when following these, but breaking any of these will be, to use the technical term, bad. What do you think? Are there are other cardinal rules for computer forensics? Do these apply to any other fields?
1. Have a plan - What are you looking for? How do you know when you're done? If you don't find what you're looking for, how long are you prepared to spend on the search? Your plan doesn't have to be set in stone. It can change based on things you find.
2. Have permission - You must have permission to look at the data in question and that authority must be granted by somebody who has the authority to do so. Sometimes this is cut and dry; the search warrant from the judge literally commands you to do something. But in a corporate environment it can be far more complicated.
3. Write down what you do - Take notes. Document what you're working on and what you do to it. Make and model names, serial numbers, locations, procedures, imaging techniques, write blockers. Any time you touch a piece of original evidence, write it down.
4. Work on a copy - Once you've imaged your original evidence, lock it up. Only work on copies. You can't break something you're not touching.