Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?
After securing the scene and recording evidence, the priority should be to ensure that the integrity of the evidence is maintained. This means securing the evidence first before any further procedures are undertaken. Once the evidence is secured, the next steps would involve preparing the system for acquisition, connecting the target media, and finally copying the media. This sequence ensures that all actions are performed methodically and the evidence's integrity is preserved.
D. After securing the evidence, the evidence is transported to a lab, where data acquisition is prepared for and made.
As per EC Council material, next step is to remove the cables and then secure and label them. "Disconnect all wires and cables from the computer and secure them Check for any removable media and secure them if present Tag the evidence clearly and note all important details in the search and seizure evidence log Document the chain of custody"
Step 15. Format the target hard disk on which the binary copy will be ripped. Step 16. Connect the blocker (software or hardware) to the tested source disk with the writeprotect technology, guaranteeing data integrity. Step 17. Make a binary (bit-by-bit) copy of the source disk for later analysis onto a blank target disk. Step 18. Calculate a checksum (hash) of copies – authentication, which is a digital signature of copied data, guaranteeing their fidelity necessary in the evidentiary proceedings Step 19. Secure and pack the hard disk with the binary copy (destination) in an anti-static bag.