Advertisment

Donning the GLOVes of An Investigator

author-image
PCQ Bureau
New Update

We've been talking of Computer Forensics in our articles for quite a few

years now. We were the first magazine in the country to take you through a

hands-on guide on running different forensics tools. We have discussed the the

best practices to follow after a machine is compromised and before an

investigator comes. This time we take you through the complete process of

investigation from the eyes of an investigator in a photo feature. So, we shall

not talk of any fancy tools, rather we will see what a Computer Forensic

Investigator does when he reaches a crime scene and how he responds to it. To

get inputs, we contacted a Private Computer Forensic Labs in Delhi/NCR named

Orkash and did a mock drill. Here's what happened.

Advertisment

The first step in forensics investigation is to identify and record the

condition of the compromised machine. This means one has to check if the machine

is Off, On, connected to the network, physically damaged or not, etc.

Once the victim is identified, one has to very smartly turn the monitor to

see what's going on in the screen. This is the first level of observation, and

while touching the physical components, the investigator has to make sure he

neither changes the crime scene nor does he leave any other mark such as finger

prints, etc. So use of surgical gloves is must.

Advertisment

The next step is to identify the OS and other applications running on the

system. If the system is based on Windows, the best approach is to take out the

power cable directly so that all page files are intact and no disk cache data is

lost.

Advertisment

After taking out the power cable, the investigator should take out all the

other cables from the ports and seal all the ports including the power socket

using labels (with time and case name) and tapes. This makes sure that after

investigation, nobody uses the machine in any form.

Now this is the time to take out the machine very carefully and tag it with

the case and victim name. This name will identify the machine throughout the

investigation. So for instance the case name here is 'Demo-PCQ' and the machine

name, Demo-PCQ-0001.

Advertisment

The next step is to carefully open the cabinet of the machine. The only issue

to be careful about is to avoid fingerprints or other marks of the investigator.

Advertisment

Once the machine is open, the investigator has to very carefully take out the

hard drive/s. Once the disk has been taken out, the investigator needs to pack

the drive in an anti-static bag, label it with the case and the component names.

Now this is the time to take note of each and everything that's happened at

the scene. Starting from what was running on the screen, to the status of the

computer (clean or dusty), the make and model of the computer and peripherals,

etc.

Advertisment

Once the notes have been taken, this is the time to close the cabinet and

seal it with tapes and labels. This is to make sure nobody tampers with the

machine after the investigator has left.

Advertisment

The hard disk has to be taken to the forensics lab for image creation and

data analysis. In image creation, an image is created bit-by-bit from the disk

with values that can't be tampered with.

This can be ensured by not letting anybody write anything on the disk while

creating an image. A FastBloc is a device which can disable the write heads on a

disk, so no one can write anything to the hard drive. It comes with many

adjustments, which can let it connect not just with a disk but also with other

storage devices such as USB drives, memory cards, phones, MP3Players, memory

cards, etc.

This is how a connection with FastBloc is made. Once connected, the image of

the disk can be created and an analysis started.

Advertisment