The eight session from a two day course for potential first responders I ran for a large financial services client.

1. Phil Huggins
February 2004

2.  Description
 Acquisition Guidelines
 Data Handling

3.  This phase collects data from a suspect
system and saves it on a trusted server or disk
 This data preserves the scene so that it can be
introduced into court
 A copy of this data can be used in the forensic
lab
 Different amounts of data are gathered
depending on the scenario

4.  Document crime scene and all actions that you take. You may need
to testify exactly what you did, so even record the mistakes.
 Record all serial and part numbers of hard drives, servers, and other equipment.
 It helps to make labels for the hard drives with comments on them.
 Use a digital camera to record what cables are connected to what.
 Minimize system activity
 Kill schedulers
 Do NOT make a backup using normal backup software and hardware
 Do NOT reconfigure the system
 Do NOT install new software (use a CD if necessary)
 Acquire the data as soon as possible, otherwise it may change

5.  Maintain Chain of Custody (CoC) forms at all
times
 After the data is acquired, make a MD5
checksum of it and record in a notebook.
This value should be verified periodically
during the analysis. For static data, such as a
hard disk, the MD5 of the original and copy
should be verified after acquisition.

6.  Any data that could be entered into court,
must have a Chain of Custody (CoC) form
with it.
 A CoC form identifies who was responsible
for the data at a given time.
 Ensure this is created and maintained
throughout the acquisition and investigation

8.  To keep the chain of custody, transport data with a
trustworthy courier. Keep the shipping statement
with the CoC form.
 If flying, it is best to carry the drives instead of
checking them in. As this is usually not possible
with increased security checks and other luggage,
such as a laptop, a courier may still be the best
option.
 The data should be stored in a secure place at all
times. A dedicated forensics lab should contain a
safe with security cameras.

9.  For each system that you work on, fill out a System
Description form.
 This form could contain fields for:
 Manufacturer, Model number, Serial number
 Operating System Type
 Number of hard drives with model and serial number.
 MAC address of network card(s)
 Physical security of system
 Owner’s name
 Time it was acquired from owner and when it was given
back

11.  All hard drives look alike
 The Hard Drive Form keeps track of which drive
contains what data and where it has been installed
 These should be created for both evidence drives
and suspect drives
 Labels & Post-It notes are also useful to mark the
contents of drives (but they can fall off!)
 Document when jumpers are moved and which
systems it is installed in

13. 1. Document the scene using a notebook and a System
Acquisition Form. If possible unplug it from the network and
plug it into an empty hub or switch.
2. If the system has not been rebooted since the incident was
detected, collect volatile data. This should be done with
trusted binaries on a CD or floppy.
3. If the system can be turned off, then unplug it for static data
acquisition. If it can not be turned off, then perform static
data acquisition over the network.
4. After the acquisition, create a Chain of Custody form and
maintain control of data at all times.