During a computer forensic examination achieving the
goal of preserving evidence integrity is not as straightforward
as it might first appear. It is not enough to avoid
writing to the disk drive under investigation, because
modern computer operating systems are capable of modifying
data as the operating system runs.
It is vital for the integrity and continuity of evidence
that work is undertaken with known and stable tools.
Network Security Associates are able
to guarantee - to the satisfaction of a court - that
the operating system will not change the material
under examination without his knowledge.
Operating systems such as Windows 95, Windows 98
Windows NT/2000 and XP incorporate increasingly sophisticated
Plug 'n' Play features which try to reconfigure the
system each time new hardware is added and may even
attempt to recognise and incorporate new software.
In addition, they feature filing systems which record
when a disk file is accessed. This is the sort of
information that will be a part of forensic examination,
but if the forensic examination itself is recorded
as the latest access this will ruin the integrity
of the evidence.
With this in mind, Network Security Associates use
the same method of protecting a disk drive against
modification by the operating system as the FBI. Whilst
this seems to be common sense, it is surprising how
many people do not realise the consequences of just
'booting' a PC under its own operating system. Date
and Time stamps (which may be crucial) will change
and allegations of tampering will be made.
|
