F6-Preparing for forensic Duplication

Dr. John P. Abraham

Professor

UTPA

Tools

• Your toolkit need to have every type of computer hardware interface going back many years. Hard drives such as IDE, SCSI , firewire, raid, cds, dvds, floppy drives, etc. and appropriate cables and terminators.

• Screwdrivers, flashlight, drill, jumpers, cable ties, power cords for internal and external,

• Digital camera. Take plenty of pictures, before and after.• Chain of custody forms, evidence labels, permanent

markers, evidence envelopes, evidence tape, anti-static bags, evidence hard drives, boot floppies/cd roms, blank cds, dvds, floppies, hub, switch, network cable, power strip, operating system installation media.

Document, Document, Document

• Evidence worksheets• System worksheets• Agent notes• Evidence labels• Chain of custody forms• Evidence custodian logs• Evidence access logs

• Each piece of hardware must be documented with make model, serial number, evidence tag number, geometry capacity and jumper settings, expansion cards present, peripheral connections, physical location, etc.

• Keep notes on any relevant information such as conference calls, shipment tracking numbers, findings,

Label duplicated items

• Case number

• Evidence tag numbers

• Contents

• Acquired by

• Date

• Number of partitions, type of file system, etc.

Chain of custody

• Source individual• Source location• Destination individual• Destination• Location• Transfer date• Signatures

– Final place is the evidence safe maintained by the evidence custodian. Evidence custodian keeps a log:

– Date, name, case number, time in, time out