Acquire the original digital evidence in a manner that protects and preserves the evidence. The following bullets outline the basic steps:
- Secure digital evidence in accordance with departmental guidelines.
- Document hardware and software configuration of the examiner's system.
- Verify operation of the examiner's computer system to include hardware and software.
- Disassemble the case of the computer to be examined to permit physical access to the storage devices.
- Take care to ensure equipment is protected from static electricity and magnetic fields.
- Identify storage devices that need to be acquired. These devices can be internal, external, or both.
- Document internal storage devices and hardware configuration.
- Drive condition (e.g., make, model, geometry, size, jumper settings, location, drive interface).
- Internal components (e.g., sound card; video card; network card, including media access control (MAC) address; personal computer memory card international association (PCMCIA) cards).
- Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data.
- Retrieve configuration information from the suspect's system through controlled boots.
- Perform a controlled boot to capture CMOS/BIOS information and test functionality.
- Boot sequence (this may mean changing the BIOS to ensure the system boots from the floppy or CD-ROM drive).
- Time and date.
- Power on passwords.
- Perform a second controlled boot to test the computer's functionality and the forensic boot disk.
- Ensure the power and data cables are properly connected to the floppy or CDROM drive, and ensure the power and data cables to the storage devices are still disconnected.
- Place the forensic boot disk into the floppy or CD-ROM drive. Boot the computer and ensure the computer will boot from the forensic boot disk.
- Reconnect the storage devices and perform a third controlled boot to capture the drive configuration information from the CMOS/BIOS.
- Ensure there is a forensic boot disk in the floppy or CD-ROM drive to prevent the computer from accidentally booting from the storage devices.
- Drive configuration information includes logical block addressing (LBA); large disk; cylinders, heads, and sectors (CHS); or auto-detect.
- RAID (redundant array of inexpensive disks). Removing the disks and acquiring them individually may not yield usable results.
- Laptop systems. The system drive may be difficult to access or may be unusable when detached from the original system.
- Hardware dependency (legacy equipment). Older drives may not be readable in newer systems.
- Equipment availability. The examiner does not have access to necessary equipment.
- Network storage. It may be necessary to use the network equipment to acquire the data.
Write protection should be initiated, if available, to preserve and protect original evidence.
Note: The examiner should consider creating a known value for the subject evidence prior to acquiring the evidence (e.g., performing an independent cyclic redundancy check (CRC), hashing). Depending on the selected acquisition method, this process may already be completed.
- Install a write protection device.
- Boot system with the examiner's controlled operating system.
- Boot system with the examiner-controlled operating system.
- Activate write protection.
- Stand-alone duplication software.
- Forensic analysis software suite.
- Dedicated hardware devices.