This protocol contains several rules which covers all the steps needed to comply with for completing all the process which is described below.
As moving towards the collection of evidence from resources such as storage drive, hard drive, hard disk, cloud data, social media account or another digital data the process should be documented.
- Create a record of personal access to the data and condition of the disk or the another storage platforms such as cloud hard drive and etc. and to document the moving of the data from one location to other for analysis of data by more than one investigator so that at the end one can verify the result and discoveries after analysis.
- Storage devices such as hdd or sdd may be used for imaging, acquisitions and using collection acquisition most preferred method for this is to collect the data without removing the storage drives from the devices or from the location.
- To preserve the integrity of the data at the crime scene we avoid the unnecessary usage of storage device or data storage device which imaging so that data can’t be tampered. So to prevent the data from being tampered there are some steps we as forensics investigators do not follows.
- Manually searching for data in the devices using non-forensics tools or methodology.
- Using 3rd party application or installed on the device.
- Attempt to unlock unless it is required for accessing the imaging.
- Be aware of what to do and what not to do while handling the evidence.
- Use power source while imaging the device so that the data source prevent form powering off during the collection process.
- Avoid the screen off or lock while imaging.
- Document the device configuration or the changes that are made into the original evidence.
Imaging is the process of collecting the evidence from the storage device or the process of creating the forensics copy of the storage device so below are the steps of the acquisition/imaging.
- Search of the evidence into the storage device using the forensics methods.
- During the collection of data or imaging the device one should maintain the integrity of the forensics image so that image is not tampered.
- Encrypting the image or data before moving from one place to another for analysis so that results can be matched.
- Format the wiped and encrypted volume using the file allocation table exFAT.
- Execute the forensics tools like Ftk manager, Autopsy to acquire the image.
- Once the acquisition is completed verify the image that is accessible by forensics software.
Analysis is the step where we analyze the forensics to verify the evidence using the appropriate tool of forensics such as Encrypted Disk Decrypter Wireshark for network analysis or Ram capture.
After the complete analysis of aquatinted evidence which was collect a report is generated which contains the full summary of the forensics process in detail such as collection of data and analysis of evidence after the collection and what are the conclusion which has been derived out after conducting the experiment.
NOTE – The contents of this piece on the blog are of the author. Any comments/observations to be directly communicated to the author.