In the first installment in this series, I stepped through how to secure the scene and obtain permission to search. In this second installment, we'll look at preserving the integrity and the initial state of the scene so that it can be reconstructed at any time in the future.
Once permission to search is obtained, the next step is to initiate a log that tracks who enters the scene, the date and time they entered and exited, and the purpose of their visit. This kind of control helps to prove scene integrity in court. Someone should be assigned direct responsibility for controlling scene access. When an investigator is busy processing the scene, it's usually difficult for him or her to maintain control over "interested parties" who believe they actually have a reason to visit.
Before the scene is searched or any evidence collected, the investigator should take a series of photographs of the subject's workspace. The number and types of photographs taken often depend on the type of crime being investigated. However, here are some guidelines:
- Photograph walls, floor (including under desks and tables), and ceiling if appropriate. The photographs must be tracked in some way in order to place them in the correct order later.
- Take a series of pictures of the desk surface, including the location of the PC and devices connected to it. Again, photo tracking is critical for later reconstruction.
- Take close-up shots of items of interest with notations about where they can be found in the general shots.
- Take a photograph of what is on the computer display at the time the scene is first entered.
All photographs should be marked with date and time, preferably by the camera. The process followed when photographing the scene should be carefully documented in the case notes.
After the scene is photographed sufficiently to allow later reconstruction, the process of collecting evidence begins. We'll walk through the process of physical evidence collection in the next installment of this computer forensics series.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.