Handbook of Computer Crime Investigation: Forensic Tools and Technology

Prime Directive: Keeping in mind that examining or collecting one part of the system will disturb other components, strive to capture as accurate a representation of the system(s), as free from distortion and bias as possible. (Venema and Farmer 1999)
As demonstrated in Case Example 2 (SubSeven), investigators face some interesting challenges when collecting evidence on a network. Although some network-related data are stored on hard drives and can be collected as described in previous chapters, more information is stored in volatile memory of network devices for a short time or in network cables for an instant. Even when collecting relatively static information such as network log files, it may not be feasible to shut down the system that contains these logs and then make a bitstream copy of the hard drive. The system may be a part of an organization's critical infrastructure and removing it from the network may cause more disruption or loss than the crime. Alternately, the storage capacity of the system may be prohibitively large to copy. So, how can evidence on a network be collected and documented in a way that demonstrates its authenticity, preserves its integrity, and maintains chain of custody?
In the case of log files, it is relatively straightforward to calculate their message digest values (or digitally sign them), document their characteristics (e.g. name, location, size, MAC times) and make copies of the files. All of this information can be useful for establishing the...