Forensic Procedures

Forensic Examination of Computers and Digital and Electronic Media

IACIS® has established the following as a guide for forensic computer and digital evidence examinations.

  • All computer and digital media examinations are different: The examiner must consider the totality of the circumstances as he/she proceeds. So, then, not all components here may be needed in every situation, and examiners may need to adjust to unusual or unexpected conditions in the field.
  • Cases involving computers and other electronic devices are borderless. Multiple jurisdictions and agencies may be involved in investigative and analytical activities, and each agency or jurisdiction may employ specific procedures. This document, then, is not intended to supercede or conflict with jurisdiction or agency policies or procedures. Rather it is a foundation document that outlines general principles.

Guide for Forensic Examinations

  • Computer system components and other electronic devices (including digital and electronic media) are items of evidence just like any other items of evidence. As such it is incumbent upon the examiner to follow agency procedures for documenting the receipt and handling of the items.
  • The computer system and/or the media should be examined physically and an inventory of hardware components noted. Documentation should include a physical description and detailed notation of any irregularities, peculiarities, identifying markings, and numberings.
  • When examining a computer the system date and time should be collected, preferably from the BIOS setup. The date and time should be compared to a reliable known time source and any differences noted. If the BIOS setup information is accessible then drive parameters and boot order should be noted. Depending on the BIOS other information such as system serial numbers, component serial numbers, hardware component hashes, etc. should be noted.
  • Examination of media should be conducted in a forensically sound examination environment. A forensically sound examination environment is one which is completely under the control of the examiner: No actions are taken without the examiner permitting them to happen; and when the examiner permits or causes an action he/she can predict with reasonable certainty what the outcome of the action will be.
  • Examiners may choose to employ a forensically sound operating system. The use of physical write-blocking devices or software write-blocking devices may be used in operating system environments that are not forensically sound.
  • Conducting an examination on the original evidence media should be avoided. Rather, examinations should be conducted on a forensic copy of the original evidence, or via forensic evidence files.
  • Properly prepared media should be used when making forensic copies to insure no commingling of data from different cases. Properly prepared media is that which has been completely overwritten with a known character.
  • Regardless of whether the examiner performs a direct device-to-device copy of the media or creates forensic evidence copies for examination or restoration, the copy process should be forensically sound.
  • Examination of the media should be completed logically and systematically by starting where the data of evidentiary value is most likely to be found. These locations will vary depending on the nature and scope of the case. Examples of items to be noted might include:
  • If the media is a hard drive the number and type of partitions should be noted.
  • If the media is an optical disc then the number of sessions should be noted.
    • File systems on the media should be noted.
  • A full directory listing should be made to include folder structure, filenames, date/time stamps, logical file sizes, etc..
  • Installed operating systems should be noted.
  • User created files should be examined using native applications, file viewers, or hex viewers. This includes such files as text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound and other multimedia files, etc..
  • Operating system files and application created files should be examined, if present. This would include, but is not limited to: Boot files, registry files, swap files, temporary files, cache files, history files, log files, etc..
  • Installed applications should be noted.
  • File hash comparisons may be used to exclude or include files for examination.
  • Unused and unallocated space on each volume should be examined for previously deleted data, deleted folders, slack space data, intentionally placed data. Previously deleted filenames of apparent evidentiary value should be noted. Files may be automatically carved out of the unallocated portion of the unused space based upon known file headers.
  • Keyword searches may be conducted to identify files or areas of the drive that might contain data of evidentiary value and to narrow the examination scope.
  • The system area of the volume (i.e. FAT, MFT, etc.) should be examined and any irregularities or peculiarities noted.
  • Examination of areas of the media that are not normally accessible such as extra tracks or sectors on a floppy disk, or a host-protected area on a hard drive may be required.
  • To facilitate examination of data, user settings, device and software functionality, etc. the computer may be booted using either a copy of the boot drive or by using a protected device on the original device to determined functionality of the hardware and/or software.
  • The forensic software used during the examination should be noted by its version and should be used in accordance with the vendors licensing agreement. The software should also be properly tested and validated for its forensic use by the examiner or the examiner's agency.
  • At the conclusion of the examination process sufficient notation of any discovered material of an apparent incriminating or exculpatory evidentiary nature should be made.
  • Sufficient documentation should be made of all standard procedures and processes initiated as well as detailed notation of any variations made to the standard procedures.
  • Any output of the recovered data should be properly marked with appropriate identifiers in accordance with policies from the examiner's agency.
Home | Training | Certification | Forensic Procedures | Membership