AccessMyLibrary provides FREE access to over 30 million articles from top publications available through your library.
Create a link to this page
Copy and paste this link tag into your Web page or blog:
Forensic data handling.
Computer forensics involves the complex task of accurately investigating events or activities on computer systems without adversely affecting the integrity of the data contained on those systems. This is a difficult task to perform properly, requiring expert handling and care. A forensics investigator is asked to answer fundamental questions surrounding an event: who did what, when did they do it, and how was it accomplished? At the same time, investigators are expected to take precautions that ensure the integrity of the original details maintained. To that end, investigators follow precise procedures to safeguard the data while allowing the investigation to proceed. These procedures include maintaining a chain of custody for all evidence material, maintaining the integrity of the data-source media, and creating accurate mirror images of data sources. Only after these important steps are taken can an investigator begin the forensics analysis of mirrored data.
Chain Of Custody And Data Integrity
The phrase "chain of custody" refers to the accurate auditing and control of original evidence material that could potentially be used for legal purposes. Knowing the current location of evidence is not enough--there should be accurate logs tracking the movement and possession of evidence material at all times. For investigators performing forensics analysis, it is essential to track the location of original data material from the moment it enters into the investigator's possession until it is released into the custody of another person or organization. In addition, investigators must control and audit physical access to the original data while it is in their possession. For instance, if data is stored in a safe, anyone with access to that safe must be accounted for and noted. Any logs created and kept by the forensics investigators could potentially be used for legal purposes: consequently, maintaining a proper chain of custody is important to the owner of the data as well as authorities who may want to pursue legal action.
While evidence data is in the possession of the investigator, he must ensure that the original state and condition of the data is maintained. Preserving the integrity of the original data source is the most important aspect of performing forensics analysis. Not only does preserving data integrity maintain a credible data source from a legal perspective, it also allows subsequent investigations to utilize the same base starting point for performing replication of the analysis. Performing analysis on the original data source can cause irreparable loss of forensics information. There are techniques investigators employ that inherently cause minor changes and modification to various aspects of the data. For example, turning on and booting a computer system from an evidence disk can make time stamp changes to files and modify audit logs on the data disk drive. Even the simple act of displaying the contents of a file can make changes to a file's attributes. Unless an original, unaltered, clean copy of the evidence data is maintained, those modifications can permanently destroy valuable information. Moreover, this information may be needed for subsequent forensic testing and analysis.
Data Mirroring: An Essential Step
The single best action an investigator can take to preserve the integrity of data is to create accurate mirror copies of all original data. Consequently, one of the goals of an investigator is to handle the original data as little as possible. To that end, the first copy made is referred to as the "master copy" and is not used for performing analysis but rather for creating additional mirror copies on which analysis will be performed. In this manner, the original data only needs to be handled once to make the master copy, after which the originals are returned to safe storage or released from custody.
While safeguarding the original data source is critical, it isn't the only data needing protection. Maintaining strict control of the additional mirrored data is also important as the data contained within the copies may be sensitive and/or confidential. While a strict chain of custody does not need to be maintained for data copies, they should be strictly controlled and protected in a separate physical location from the original data, such as in a second safe or locked cabinet, with access to the copies restricted and audited. Authorized ...
- Data Source, Inc. Announces The Purchase of Restex, Inc.
- Press release article from: Business Wire March 20, 2008 700+ words
International Print Management Supplier Data Source, Inc. Significantly Expands Automotive Client Base With Acquisition Data Source Unveils Its New Web Site: www.data-source.com KANSAS CITY, Mo. -- Data Source, Inc...
- Email Data Source Announces First API Client: PerformLine.
- Press release article from: Business Wire June 8, 2009 700+ words
NEW YORK -- Email Data Source, Inc., the email marketing industry...advertisers. PerformLine will use Email Data Source's new API to provide its advertising...email publishing partners. "Email Data Source provides critical information to...
- Email Data Source Completes Series B Funding; Releases API.
- Press release article from: Business Wire May 4, 2009 700+ words
NEW YORK -- Email Data Source, Inc., the email marketing industry...Investment terms were not disclosed. Email Data Source has also launched an API allowing partners to integrate Email Data Source data into their own applications...
- Digital Copier Introductions Up 73% from 1998 to 1999, New Hardcopy Data Source...
- Press release article from: Business Wire April 19, 2000 700+ words
...compiled from the Web-based Hardcopy Data Source, a new service from Lyra Research...copiers available anywhere. The Hardcopy Data Source provides the tools product managers...versions of the browser, the Hardcopy Data Source is packed with powerful features that...
- THE DATA SOURCE INTRODUCES PERSONAL & BUSINESS VERSIONS OF NEW SERVICE FOR...
- Press release article from: PR Newswire February 28, 1995 700+ words
...Feb. 28 /PRNewswire/ -- The Data Source, a leading source of information on...vehicles and car seats. According to Data Source, both versions alert owners affected...specified when ordering. According to Data Source, the business version of the Auto Defect...
- Petro Data Source to Offer Custom Oil and Gas Field Prints Online; Customers...
- Press release article from: PR Newswire February 5, 2004 700+ words
...DENVER, Feb. 5 /PRNewswire/ -- Petro Data Source, Inc., a leading provider of production...said Karen Suhaka, president of Petro Data Source. "This collaboration with Pixxures...piece." The photos provided by Petro Data Source and Pixxures don't have high enough...
- Northwest Nexus Announces the Acquisition of Data Source.
- Press release article from: Business Wire September 11, 1997 700+ words
...today announced the acquisition of Data Source, a Spokane, Wash., based ISP. This...location in the Spokane area. Some of Data Source's premier clients include: Itron...Mortgage and Securities. Founded in 1995, Data Source is the leading provider of high-end...
- Twitter is Most Linked to Social Media Outlet in Email Marketing, According to...
- Press release article from: Business Wire July 31, 2009 700+ words
NEW YORK -- Email Data Source, Inc., the email marketing industry...campaigns. "In the data Email Data Source has been tracking, there has been...chairman and co-founder of Email Data Source. "In fact, starting in 2009 twitter...
Source: HighBeam Research, Forensic data handling.