Once arrived at the place where computer systems are subject to search, investigators will ensure access. Council of Europe Recommendation (95) 13 states that national legislation have to include in national legislation the obligation to provide access to computer systems, both from those who are responsible for and any person having knowledge of their operation. In addition to physical access, these individuals have a duty to provide information relating to system security information to allow investigators access to data stored in these systems.
Before proceeding to examine the systems, procedures should not neglect traditional forensic analysis of the searched space, such as physical sampling (fingerprints and other trace materials). It may also be relevant images on the monitor screen when entering the criminal investigation bodies. It can be preserved by photographing, filming, etc.
A first decision to make is the analysis of system at the ground or lifting it, and laboratory analysis.
In making this decision, you must consider the following issues:
- high quality of analysis in the laboratory;
- if the lifting computer system affects the activity of the suspect.
In that regard, have to take into consideration the recommendations of the International Chamber of Commerce, that states the rule avoid lifting systems of businesses if it would affect their normal activities.
The following criteria are useful in assessing the appropriateness of lifting systems:
- Sample volume criterion.
Particularity of systems to enable storage to a large volume of information in a small physical space makes investigation requiring a great deal of time to obtain relevant evidence. Such research on a large time period can be driven more effective in the laboratory. - Criterion of technical difficulties.
- The problem of avoiding destruction of the data during the investigation. Systems analysis by investigators who do not have sufficient knowledge on the equipment or software used can destroy data accidentally.
- Problem of recovery of the system in the laboratory. Due to a large variety of technical components of computers, for the system to function properly in the laboratory, have to waive all equipment present at the search. If partial lifting of system components, it is possible to have incompatibilities between the presence of high information system equipment and the laboratory (eg incompatibility of computer peripheral equipment – printers, etc.), or between programs on lifted system and laboratory equipment.
Once decided to lift the computer system at the scene of the search, have to be taken some measures to allow its exact reconstruction in the laboratory. First, shall be recorded the arrangement in space of the computer system equipment. This can be done either by shooting system from all angles, either by shooting video. In the process of photographing and filming, it is necessary to insist on the wiring connecting the various components of the equipment. Recording in camera or video version has relevance also to show the state they found equipment when lifting, thus preventing possible damage related complaints during its investigation.
In the lifting process of system components must be taken into account the need to preserve data integrity and identity. Any damage to the substrate on which the data will inevitably lead to their destruction. The prosecutors have to be specifically trained to protect evidence of an electronic nature.
Lifting procedure of computer systems is as following:
Step 1: Close the system. If the system was found closed when entering investigators should not be any reason on. It will proceed moving to other stages. If the system was found open, it must be closed in order to proceed to raise it. To close the system you can use the following methods:
- disconnection from the power supply;
- closure according to normal procedure.
The first alternative is preferred if the investigator has no knowledge of computer. Some computers have uninterruptible power supplies (UPS). In this case, in addition to disconnection of the power supply system, the system must also be stopped. Disconnection will occur, in most cases, loss of data, but can avoid deleting relevant information such as temporary files that can be deleted in the normal process of closing the computer.
The second alternative is preferred when the computer is connected to the network, or when the investigator is assisted by a person who has knowledge about the functioning of that system, and about the procedures to be used for closing it.
Stage 2: Labeling components. If disassembly is required, each component of the system must be labeled before the configuration change, to raise evidence. If cables, are labeled both cable and media where it was disconnected. In case of holders who have not connected cables, it is advisable to be labeled “empty”. It can be done and an outline of components, specifying the symbols used for labeling.
Stage 3: Protection for changes. All magnetic data storage must be protected against alteration of their content. Some types of hard disks have special contacts that perform write-protection. If diskettes, protection will be done by moving witness of allowing changes to “closed”.
Stage 4: Lifting the system. Raising samples have to be done very carefully, avoiding any damage to components. It is advisable to pack components in the original packaging, if this can be found, or special packaging that assure their electrostatic protection. Also, all magnetic data storage media will be packed and sealed in such a way that access to them is enabled by disposing in the laboratory.
(This article contains materials translated and adapted from MCTI)
Leave a Reply