Preserving Electronically Encoded Evidence – Part II

Conditionally, if the target system is turned off, simply turning the technology on and permitting a ‘boot’ can introduce content changes to files directly or indirectly connected through operating system procedures. Some files interacting with the IT boot process may not be of interest to an investigation. Nevertheless, IT boot configuration modifications can cause previously deleted files — containing pertinent information — to become irretrievable.

When circumstances will not permit the embryonic operational state and site being maintained until law enforcement authorities arrive or when management accepts lawful extraction risks, data acquisition procedures may be invoked for evidence preservation. Data acquisition procedures involve the process of transferring encoded content into a controlled location; including electronic media types associated with an incident or event. Upon commitment to this course of action, all earmarked hardware media should be protected, as well as the target content, during transference to another medium through an approved methodology. However, capturing volatile data (such as open ports, open files, active processes, user logons and other random access memory information) is also critical in most situations where evidence integrity can become an issue. By definition, volatile data is transient electronic bits. Therefore, without adequate precautions, volatile data ceases to exist when an information technology is shut down.

“View Part I of the Preserving Electronically Encoded Evidence series here“

Post Note: An expanded version of this blog entry is available through the ISACA Journal.