Preservation and/or Collection of Potential Evidence
If the evidence resides outside the clients control (IE. An ISP), a preservation letter must be sent to the company holding the information. When making a request, one must use specific instructions pertaining to the information sought. Remember when requesting this information that the request must be specific with regards to times, dates, Public IP addresses (if available), time zone, email ID., screen name(s) and email address(es) (if applicable).
This must be followed up with legal process, initiated and processed by legal counsel.
Collection of Live System/Network Evidence:
Read this article published by SUN Microsystems for a detailed explanation of employing computer forensics on live systems and investigating system attacks.
A DFS forensic expert, due to the complexity and potential risk of data loss and potential data corruption, should perform this procedure. This can be completed using LINUX/UNIX tools but should only be done with specialized forensic tools and should not be attempted by system administrators or the like. Most attempts to “help” DFS in this process usually result in data loss or corruption of evidence.
Collection of Post-Mortem (Powered down) Systems:
There is an enormous debate as to whether a system should be powered down via the software/hardware of the computer or simply have the plug pulled from the machine (not the wall). All of the debate focuses on the type of OS running on the target system, live state information that can/cannot be captured, locking down some or all of the live state information and the forensic principals therein. With this in mind, DFS personnel understand the pro VS con and the variable pitfalls that can occur with regard to each philosophy. DFS personnel will only use procedures that they have personally and/or professionally experienced. These procedures will be those proven to be forensically sound and/or proven in a court of law.
