DFI tips Life on the Range The industry of digital forensics and electronic
discovery is still a rather young one. Yet it has
been around long enough to develop standards
and best practices for handling multiple types
of digital files on various mediums.
The data collection process has traditionally
been about documents, e-mails, and graphics
found on computers, hard drives, phones, and
other mediums. Now, it also includes data from
social networking sites (SNS), which requires
careful attention and adaptability to ensure the
digital information maintains its initial context
and meaning.
The challenge of taming the land of social
media and Webmail—where each platform
has its own rules, or no rules at all—is just like
taming the Wild West. Data collection must be
done in a way to fully preserve the information,
even if dealing with multiple outside parties
and systems for just one social media platform.
From: The Wild West of Social Media Evidence
Collection by Gary Torgersen
Prep Your Mobile
Device Examination
Computer
When the examiner is ready to investigate a
phone, he may have a checklist to make sure
that the examination machine is ready. This
computer, known as the examination computer
can be a laptop or a desktop. The main require-
ment is that it has at least a Pentium 90 for pro-
cessing speed and enough RAM to operate the
cell phone forensic software. There must also be
enough available storage for the contents of the
seized phone. This may be a challenge with an
older computer but fortunately old computers
with Windows 98 had USB ports and this allows
USB external storage devices to be used. The
examination computer should have a current,
properly licensed copy of the examination soft-
ware used for the phone.
Because this examination computer is used
to download the data from the phone and then
prepare it in a readable format for examination,
it is best to check in the operating system that
the USB port is working properly. It would also
be a good idea to close all unnecessary programs.
The examination computer should also be
protected from unwanted outside connectivity. That means that the wireless ports,
infrared ports, Bluetooth ports, modem port,
and Ethernet port should all be disabled. The
examination computer may also be checked for
viruses by running a current version of a properly licensed antivirus program to remove the
possibility of a virus altering the data. A properly licensed program for antispyware should
also be run.
From: Digital Forensics for Handheld Devices by
Eamon P. Doherty
Windows Artifacts
Since 1991 Microsoft has taken great care—
great care to preserve a history of activities
going back to the days of MS-DOS, Windows
3.1x, and Windows for Workgroups 3. 11. In
addition, Microsoft has collected, stored, and
retained data from all versions of Windows
NT as well as the hey-days of Win95-98-ME
versions too.
How this helps you is knowing that there is
data, lots of data—artifacts found in the Operating System support files, Windows folder and
sub-folders, and the Registry file. Collectively
all of these components allow examiners to
find evidence creating a digital history, connections, or a legal position.
From: Microsoft Windows Artifacts by Jon R.
Hansen