Digital Forensics

Running Head: STEPS TO A PROPER FORENSIC EXAMINATION

Unit Two Project

Monica Kieffer

Kaplan University

IT 411 Digital Forensics

Professor Whitten

October 26, 2010

Every computer investigation begins with the first and most critical step, is to preserve any possible evidence. Every case will be different, and the steps an examiner takes will vary. The one thing to keep in mind is evidence can be easily destroyed if precautions are not taken, and the proper procedures must always be followed. Any potential risks need to be identified and confronted before a case can begin.

When a locked computer is involved, there could be obstacles as to breaking through and getting evidence, but this step is taken care of when other willing parties are involved. Even though a trusted administrator can be helpful in an investigation, they must not become too involved (as they are not part of investigation), and will be required to sign any documents along the way as to their involvement, and later be available in the event that the evidence makes it to court. After access has been gained, with the help of an approved person, the examination can continue.

Windows 2000 server is a common network operating system that may be the target in many computer investigations. There is a logon/logoff or shutdown procedure for every operating system, and in this case a normal shutdown procedure is the most appropriate option (Bunting, 2008). Any programs that are open or running need to be documented before the computer can be shut down, because it may be the only chance to capture the information and have proof of it later on. This happens because data contained within volatile RAM is no longer available after shutdown, and it could simply be destroyed (Bunting, 2008).

Before shutdown though, photographs need to be taken of the computer area itself, the screen, and surrounding areas (Bunting, 2008). Every detail needs to be recorded about the media and the steps...