48 11
In addition to acquisition and chain of custody documentation, most computer forensic examiners will prepare various reports during the course of their examination Such reports can take a wide range of forms including printouts of data recovered from the target media, time line charts of relevant les, notes detailing searches conducted and analysis performed, and various reports from the forensic software tools While there are no strict rules regulating what types of work papers should be created during the course of a forensic examination, as a general proposition the notes should be suf cient to allow an examiner to repeat the processes that resulted in the discovery of critical evidence Obviously computer forensics is not just about preserving the evidence It is also about analyzing the evidence and discovering relevant materials But before data analysis can begin, some preliminary considerations are important
To the greatest extent possible (and practical), computer forensic investigations should be conducted on all available relevant data, rather than a mere subset of the data While this can be dif cult, it is nonetheless potentially very important For instance, consider what happened in a capital murder case in California The electronic source le for a press release and related memorandum that had been issued by the police department was important to the case but could not be readily located Prior to the forensic search, but after the memo and release had been written, the police department s network le server had been upgraded The replacement le server did not contain a copy of the press release Fortunately, forensic examiners determined that the old le server was sitting in a warehouse and had not been used in over three years The server was reassembled and started, and the press release was found Interestingly, the fact that the active server contained a le with the same name in the same path, but with drastically different contents from the original memo, indicates that a cover-up may have been attempted During the initial interviews on a case, an effort should be made to identify all potential sources of relevant information Although a decision may be made to limit the analysis of certain data sets in the rst instance, preservation of all relevant data should be a goal Failure to identify relevant data sets can literally have life-and-death consequences Similarly, a good forensic examiner should verify, whenever possible, the answers to questions provided by IT staff Consider the case of the class action lawsuit where members of the class had to be identi ed from the defendant s proprietary database system The defendant s programmer modi ed an existing computer program to extract the list of potential class members When the program code was later reviewed by a forensic examiner, it was discovered to contain documentation that seemed to indicate that records were inadvertently being bypassed by a section of the code Testing revealed that the program had indeed ignored hundreds of thousands of rows of the database and the class list was ultimately revised Another example of the need to independently con rm IT staff assumptions comes from a case involving a key executive who had deleted many e-mail and calendar entries from his mail le Examining the mail le showed a reference to another copy of his e-mail le on a different server The forensic examiner was told that this alternate server did not store any mail les When IT was asked to inspect the server anyway, it was determined that there was indeed one mail le on the server, the executive s Apparently, the server had been a migration or fail-over24 server for this particular user at one time The le had not been updated by the executive s deletion activity and consequently contained documents that were several years old, including some of the data erased from the active mail server This discovery assisted the forensic team to identify messages that had recently been deleted by the user
A fail-over server is a server on standby to step in for a primary server in the event that the primary server fails
48 12
