(Source: International Association of Computer Investigation Specialists)
Hard disk examination
- Sterile conditions are established in terms of crime. All storage media used during the examination are prepared recently, cleaned of extraneous data, anti-virus checked and tested before use;
- All used software licensed and can be used by the institution;
- The original computer is physically examined. It is provided a description of the hardware that is registered. Comment any unusual item encountered during the physical examination of the computer system.
- All precautions are taken during copying or access to the original storage media in order to prevent the transfer of viruses, destructive or other inaccuracies in the content / the original storage media. It is recognized that due to hardware limitations and operating systems this is not always possible;
- CMOS contents and internal clock are checked and data accuracy and time is recorded. Date and time clock is frequently important for setting the date and time of file creation or modification.
- Normally, the original storage media are not used in the investigation. An identical copy or a true original storage environment will be achieved. This copy or image will be used for the actual examination. There will be recorded a detailed description of the creation of the copy or image.
- Copy or image of the original hard drive will be examinate and a description of what was seen have to be registered.
- Boot data and operational command files and system configuration, user defined (such as CONFIG. SYS or AUTOEXEC.BAT) are reviewed and a description of what was seen have to be registered.
- All deleted files that can be recovered will be saved. Where useful or possible, first character of recovered files will be changed from HEX E5 in “-” or otherwise unique character for identification purposes.
- It performs normally, a listing of all the files contained in the media examined, whether or not they contain potential evidence.
- Where appropriate, the unallocated space is examined to identify hidden or lost data.
- If applicable, the idle space corresponding to each file is examined to identify hidden or lost data.
- Examine the contents of each data file from the roor directories and each sub-folder (if applicable).
- Password protected files are unlocked and examined.
- Make a print or a copy of everything seemingly constitute evidence. The file or location where any such evidence was obtained is denoted on each printed sheet. All samples are labeled, numbered in order and properly insured and forwarded.
- Executable programs of specific interest will be considered. User data files that could not be accessed by other means will be examined using the default application.
- Comments and conclusions will be documented properly.