Handbook of Computer Crime Investigation: Forensic Tools and Technology

Collecting and Documenting Evidence on a Network

Prime Directive: Keeping in mind that examining or collecting one part of the system will disturb other components, strive to capture as accurate a representation of the system(s), as free from distortion and bias as possible. (Venema and Farmer 1999)

As demonstrated in Case Example 2 (SubSeven), investigators face some interesting challenges when collecting evidence on a network. Although some network-related data are stored on hard drives and can be collected as described in previous chapters, more information is stored in volatile memory of network devices for a short time or in network cables for an instant. Even when collecting relatively static information such as network log files, it may not be feasible to shut down the system that contains these logs and then make a bitstream copy of the hard drive. The system may be a part of an organization's critical infrastructure and removing it from the network may cause more disruption or loss than the crime. Alternately, the storage capacity of the system may be prohibitively large to copy. So, how can evidence on a network be collected and documented in a way that demonstrates its authenticity, preserves its integrity, and maintains chain of custody?

In the case of log files, it is relatively straightforward to calculate their message digest values (or digitally sign them), document their characteristics (e.g. name, location, size, MAC times) and make copies of the files. All of this information can be useful for establishing the...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Backup and Recovery Software
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.