Please feel add to the following list of hints and tips based upon 'in the field' experience:
|
| 1. | Scoping is ESSENTIAL. Always be sure to define this carefully before accepting a mission. |
|
| | | | | | | | | | | A - What are we going to encounter? Single home PC, no network, end user?
|
| | | | | | | | | | | B - Power user with a wireless network, 5 computers each with two 200/300gb hard drives, blackberry, PDA's, camera cell phone, external storage devices?
|
| | | | | | | | | | | C - Home based business with a 2003 server, 10 client machines, etc,,,?
|
1.1 Be prepared for all of the above and make sure you have enough people and equipment to get the job done. 9 times out of 10 the Computer Forensic Team is the first one in and the last to leave.
|
| 2. | Make sure you check ALL the places evidence could conceivably be located. These include: |
|
— Networks and external sources;
|
— Inside PC components (cd-drive, floppy drive, case itself)
|
| 3. | If you are unsure of something, ASK. Never second guess. |
|
| 4. | Ensure that you use physical write protection devices to acquire images or UNIX/Linux Live CD's. |
|
| 5. | Hash device and subsequent images for evidentiary purposes especially if you leave the original on scene as in a business search. |
|
| 6. | Obtain volatile information from servers (Helix CD for WinServer? via netcat prior to shutdown or cryptcat). |
|
| 7. | Bring more than one forensic solution to the site EnCase?, FTK, SMART, Knoppix, ILook, Helix). Often one won't work but others will. |
|
|
|
