RE: forensics procedure for PC analysis

Hi John,

The ACPO Guidelines [1] are a good starting place, The other links below
[3],[4],[5] are more biased to US case law.

The Helix CD [7] contains a number of standard forms for evidence
collection as well as tools.

From a process point of view a few of the things you have to consider
things are:

- just cause; before you start imaging a machine or breaching someones
privacy you need to document the facts as to why you want to carry out an
- privacy laws; targetting a machine for suspicious activity maybe ok for
initial discovery but to target the user you are potentially breaching
their privacy. What do your national laws say on this?.
- Authorisation; Who needs to authorise an investigation and at what
point is this required?
- how far your e-discovery can go before you need to seek authorisation
to continue
- Search and seizure and the national laws around this (in some
countries, such as Belgium) only the police have the legal right to
search someone.
- What information you collect during the search and seizure and the
chain of custody
- have forms for writing down the equipment/drive serial numbers,
- document document document; everything you do and collect must be
documented, even mistakes.

(these are only a few points, many more can be found on the links shown

It helps if you have standardised collection tools such as Helix [7],
Encase [8], Paraben [9], Logiccube [10] etc plus suitable write blockers.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of John O Laoi
Sent: Monday, April 27, 2009 12:31
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: forensics procedure for PC analysis

Does anyone have pointers to a full recommended procedure on
preserving PC data for forensic analysis?
I'm thinking about things like getting a full backup (using dd),
preserving the disks, graceful shutdown or not, etc.

My employer has asked me to look into drafting a policy to address
this, in situations where say illicit material has been lodged to


This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught
by an expert with years of real pen testing experience.

Attachment: smime.p7s
Description: S/MIME cryptographic signature