In the previous installment of this series, we collected, safeguarded, and transported physical evidence. In this post, we'll begin the process of processing the data contained in the suspect's computer.
After photographing the target computer at the scene, the next step is to decide whether to perform a live or a dead analysis. A live analysis is performed when it's believed that information crucial to the investigation might be contained in volatile storage. The system is not powered off until this information is retrieved. In all other cases, the target system is shut down and usually transported to the investigator's lab for analysis. A lab analysis isn't absolutely necessary, but the investigator has more control over the process and the integrity of the evidence when in the lab.
Once the decision is made to power down the computer, care must be taken to ensure the normal power off sequence doesn't alter any data on nonvolatile storage. If accessing a Microsoft Windows system, for example, performing the normal shutdown process writes information to the hard drive. The best way to prevent a graceful shutdown — and this is one time you DO want to prevent it — is to simply pull the power cord from the wall outlet. This leaves the nonvolatile storage in the state it was in when the scene was secured. The computer should then be tagged and transported to the investigator's lab.
Once in the lab, the investigator prepares to analyze the computer's storage devices. He or she starts by gathering information about the computer and the way it's set up. This begins by booting the system and entering BIOS setup. Be sure the system DOES NOT boot from any internal devices. If the investigator is unsure about whether he or she can enter BIOS setup without accidentally passing to the operating system boot process, he or she should disconnect internal drives before powering up the target system.
Getting to the BIOS setup is accomplished in various ways, depending on the computer's manufacturer. I use a Dell XPS M140. To enter setup, I press [F2] on initial startup. This brings up the screen shown in Figure A.
From within the BIOS, the investigator collects and documents the following information:
- The basic setup of the system, including memory, CPU, and identifying data such as the service tag shown in the example above
- Information about the drive type
- The system's boot sequence
- The BIOS time and date
The best way to document this information is by photographing the various screens as they're displayed on the target system. Before leaving setup, the investigator must consider whether to change the boot sequence. If he or she plans to use the target computer for analysis, it's critical that the system be prevented from booting from storage devices that are to be analyzed. This might result in changes to data relevant to the investigation. The best approach is to use a system set up specifically for forensics analysis.
In the next installment of this series, I'll examine how to deal with a system BIOS setup protected by a password and how to prepare for the actual acquisition of data from the target system's drives.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.