Obtaining complete forensic images of electronic storage media

摘要

In a method of obtaining a complete forensic image of an electronic storage media containing electronic data, the storage media is part of a computer system. The method includes the steps of: (a) storing a data collection program on an external storage device; (b) sending the external storage device to a custodian of the electronic data, together with means for the custodian to easily return the external storage device; (c) requiring the custodian to connect the external storage device to a computer system containing the storage media; (d) requiring the custodian to use the data collection program to forensically collect the electronic data to create a complete forensic image of the storage media containing the electronic data; (e) authenticating the forensic image; and (f) preserving an exact copy of the forensic image without making changes to the forensic image.

主权项

1. A method of a first computer system obtaining a complete forensic image of an electronic storage media that is part of a second computer system containing electronic data, by collecting forensic data, the storage media being part of the second computer system which includes a display screen, the method comprising the steps of:
a. using the first computer system to store a data collection program on a password-encrypted external storage device, the storage device having a USB 1.1 or greater interface, the storage device receiving all of its operating power via the USB interface, the first computer system modifying the data collection program,
i. to select a desired level of encryption,ii. to require specific input of information from a custodian of the electronic data,iii. to select switches to capture RAM,iv. to select a drive to be imaged,v. to select data capturing switches, to be used during the process of capturing the forensic data, from the group of switches comprising: verification, chunked file sizes, logging options, and verification, andvi. to select audit switches, to be used to perform a system audit after termination of the imaging by the data collection program, from the group of audit switches comprising: operating system version, logged-on user name, hard drive size, and electronic serial numbers; b. sending the external storage device to the custodian of the electronic data, together with means for the custodian to easily return the external storage device; c. the custodian connecting the external storage device to the second computer system containing the storage media, once connected, the data collection program displaying a splash screen on the display screen; d. the data collection program, via the splash screen, using the second computer system to forensically collect the electronic data to create a complete forensic image, on the external storage device, of the storage media containing the electronic data; e. the data collection program encrypting the external storage device; f. the data collection program auditing the forensic image; and g. the data collection program preserving an exact copy of the forensic image onto the external storage device without making changes to the forensic image.