Best Practice for Digital Forensics

We run into some very interesting situations with our clients. Sometimes you just can't make this stuff up. We've seen clients with former employees breaking back in to system to cause havoc to conducting covert data acquisition in the middle of the night of current employees suspected of wrongdoing. Often times companies are left to balance the need to get to information and gathering that information in a manner that doesn't trample all over the effectiveness of the data.

As an example, say you are laying off a key individual in your company and they have information on their laptop that you need. One approach would be just to have your technical support team come in and copy off the data via Windows copy or use Ghost to make a copy of hard drive. These two options will get the data copied, but at what cost?

• Will you have access to deleted data? 
• What if the data collected reveals criminal behavior or behavior that warrants litigation - do you have the data collected in a manner that can be used in court?
• Have you taken the steps to be able to show a clear picture of what occured on the computer?

So what do you do to protect yourself and the company?  Here's a list of the Top Ten Best Practices to digital forensics:

1. Document everything.
   
2. Never mishandle data. [case example] 
   
3. Never work on the original data.
   
4. Never trust the custodian’s software/hardware.
5. Maintain chain-of-custody throughout the process.
6. Only use courtroom admissible and licensed tools. [see NIST CFTT]
7. Be sure to be fully trained in the use of digital forensic tools.
8. Don’t forget other devices such as PDAs, Blackberries, iPhones etc. [see Paraben]
9. Use write-blocking hardware when doing physical acquisitions. 
10. Call an expert if you can't do any of the above!