This snapshot, taken on 04/03/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.

We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for

 
 

Forensics Checklist

The following principles apply to all forensic investigations. These should be considered before embarking on an incident management process

1. Do no harm

Do not blunder into the suspect system without thought. You may destroy fragile evidence. You may, for example, stop computer processes from running that are in themselves evidence of the event.

A measured approach to incident management is more effective. Digital forensics should be an integral part of a formal incident management policy (IMP).

2. Preserve the scene

Seal the area and prevent access to suspect equipment and its location. Prevent computer access to suspect systems, including remote access.

3. Record the circumstances of the incident

Any observations should be signed by witnesses, with time and date stamps.

4. Preserve the evidence

Not all the following principles may apply, but they should be considered:

  • Identify all potential sources of data
     - Event logs, firewall records, e-mail logs etc.
  • Check any event logs
    - Who has access, are they protected?
  • If you have CCTV video-tapes of access to the system / premises
     - Remove the tapes
     - Seal them in an envelope
     - Sign (with date and time) across the seal flap
     - Have someone witness this (with signature, date and time)
     - Cover the signatures with clear sticky-tape, and keep the envelope in a trusted place, such as a safe that has limited access
     - Most CCTV tape management involves a log. Make sure this is preserved similarly
  • This approach can be used for a range of evidence. It is not restricted to CCTV tapes. Other sources that can be treated this way include:
     - Physical access logs
     - Visitor records
  • Take 'image' copies of suspect systems
     - Using standard computer copying facilities is often not enough. You should consider keeping imaging software as a standard part of your IT management toolkit; it has uses beyond forensics, such as system recovery)
  • Consider imaging
     - Firewall configurations
     - Mail monitoring software & configuration
     - External access rights
     - Internet connections
  • Clocks and timings
     - Check the clock times on all relevant devices (including CCTV and other non-computer sources of evidence)
     - Record them (using signature, date and time). Have this record witnessed and preserved
     - Check relevant system logs to see if clock times have been changed
     - Use GMT as the standard for all timings


 

© Crown copyright2010