Tom Olzak

Digital Forensics: Blowing a Case in Five Minutes or Less

In Cybercrime, Forensics, Uncategorized on July 31, 2009 at 09:51

Digital forensics is an important function performed by experienced investigators.  However, most security incidents are not considered serious enough—at least not at first—to justify engaging a forensics professional for hundreds of dollars per hour.  So in-house security teams must have processes in place to ensure initial investigation activities don’t compromise evidence that might eventually end up in criminal or civil court.

Internal resources don’t have to be certified forensics investigators.  Most organizations can’t afford to keep someone with those qualifications on the payroll.  However, your security team should understand basic evidence preservation and handling techniques.  Even actions which seem reasonable and insignificant can render potential evidence useless.  Some examples of things to avoid when initiating an internal investigation include:

  • Using or analyzing a target computer before creating a forensics copy of all attached storage
  • Arbitrarily pulling cables from target computers before recording cable connections, preferably via a digital camera
  • Pulling the power plug on a running computer without recording what is on the screen, preferably via a digital camera
  • Turning on a computer which is powered off upon arrival
  • Failure to initiate a written chain of custody for all items collected as evidence
  • Failure to comply with local, state, and federal laws governing seizure of evidence

The United States Secret Service published a pocket guide for first responders, Best Practices for Seizing Electronic Evidence (  It contains lists of guidelines for standalone PCs as well as servers and PCs connected to home or business networks.  In addition, the guide lists items you should include in your investigation reports.

The guide alone won’t make anyone on your team a forensics expert; you’ll still want to call in certified digital forensics analysts when presentation of evidence in court is a real possibility.  However, familiarity and use of the guide can help prevent spoliation during the first minutes of an incident response.

%d bloggers like this: