Computer & Mobile Forensics

Processing the Electronic Crime Scene

• Processing an electronic crime scene shares similarities with processing a traditional crime scene.

  • Involves warrants, documentation, and good investigation techniques.

• A crucial decision is whether a live acquisition of data is necessary.

Shutdown vs. Pulling the Plug

• Several factors influence the decision between a systematic shutdown and pulling the plug.

  • Encryption: Pulling the plug may encrypt data, rendering it unreadable without a password or key. Therefore, systematic shutdown would be more prudent.

  • Crucial Evidentiary Data in RAM: If important data exists in RAM and hasn't been saved to the HDD, discontinuing power will result in data loss; hence, another option must be considered.

  • Regardless, the equipment will most likely be seized.

Forensic Image Acquisition

• After seizing the items, data needs to be obtained for analysis.

• The computer Hard Disk Drive (HDD) is used as an example, but the same best practices principles apply to other electronic devices.

• The computer forensic examiner must adopt the least intrusive method throughout the entire process.

• The main goal when obtaining data from a HDD is to avoid altering even one bit of data.

• Booting a HDD to its operating system can change many files and potentially destroy evidentiary data.

• Data acquisition is accomplished by: