IT Governance, Risk, and Compliance

Aug 10 2009   7:59PM GMT

Preserving Electronically Encoded Evidence – Part II

Robert Davis Robert Davis Profile: Robert Davis

Conditionally, if the target system is turned off, simply turning the technology on and permitting a ‘boot’ can introduce content changes to files directly or indirectly connected through operating system procedures. Some files interacting with the IT boot process may not be of interest to an investigation. Nevertheless, IT boot configuration modifications can cause previously deleted files — containing pertinent information — to become irretrievable.

When circumstances will not permit the embryonic operational state and site being maintained until law enforcement authorities arrive or when management accepts lawful extraction risks, data acquisition procedures may be invoked for evidence preservation. Data acquisition procedures involve the process of transferring encoded content into a controlled location; including electronic media types associated with an incident or event. Upon commitment to this course of action, all earmarked hardware media should be protected, as well as the target content, during transference to another medium through an approved methodology. However, capturing volatile data (such as open ports, open files, active processes, user logons and other random access memory information) is also critical in most situations where evidence integrity can become an issue. By definition, volatile data is transient electronic bits. Therefore, without adequate precautions, volatile data ceases to exist when an information technology is shut down.

View Part I of the Preserving Electronically Encoded Evidence series here

Post Note: An expanded version of this blog entry is available through the ISACA Journal.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: