As an example, say you are laying off a key individual in your company and they have information on their laptop that you need. One approach would be just to have your technical support team come in and copy off the data via Windows copy or use Ghost to make a copy of hard drive. These two options will get the data copied, but at what cost?
- Will you have access to deleted data?
- What if the data collected reveals criminal behavior or behavior that warrants litigation - do you have the data collected in a manner that can be used in court?
- Have you taken the steps to be able to show a clear picture of what occured on the computer?
- Document everything.
- Never mishandle data. [case example]
- Never work on the original data.
- Never trust the custodian’s software/hardware.
- Maintain chain-of-custody throughout the process.
- Only use courtroom admissible and licensed tools. [see NIST CFTT]
- Be sure to be fully trained in the use of digital forensic tools.
- Don’t forget other devices such as PDAs, Blackberries, iPhones etc. [see Paraben]
- Use write-blocking hardware when doing physical acquisitions.
- Call an expert if you can't do any of the above!