Forensic Hints And Tips
Please feel add to the following list of hints and tips based upon 'in the field' experience:

1.Scoping is ESSENTIAL. Always be sure to define this carefully before accepting a mission.

          
A - What are we going to encounter? Single home PC, no network, end user?

          
B - Power user with a wireless network, 5 computers each with two 200/300gb hard drives, blackberry, PDA's, camera cell phone, external storage devices?

          
C - Home based business with a 2003 server, 10 client machines, etc,,,?

1.1 Be prepared for all of the above and make sure you have enough people and equipment to get the job done. 9 times out of 10 the Computer Forensic Team is the first one in and the last to leave.

2.Make sure you check ALL the places evidence could conceivably be located. These include:

Home system;
Phone system;
Networks and external sources;
Victim computers;
Components;
Peripherals;
Modem pool;
Undeleted files;
Deleted files;
Print spool files;
Temp files;
Cookies;
Slack space;
Swap files;
Caches;
Other media;
In log files.
Inside PC components (cd-drive, floppy drive, case itself)

3.If you are unsure of something, ASK. Never second guess.

4.Ensure that you use physical write protection devices to acquire images or UNIX/Linux Live CD's.

5.Hash device and subsequent images for evidentiary purposes especially if you leave the original on scene as in a business search.

6.Obtain volatile information from servers (Helix CD for WinServer? via netcat prior to shutdown or cryptcat).

7.Bring more than one forensic solution to the site EnCase?, FTK, SMART, Knoppix, ILook, Helix). Often one won't work but others will.