Forensic Examination of Digital Evidence

28.06.2016 Views
SPECIAL REPORT / APR. 04 Hard Drive Evidence Worksheet Case Number: Laboratory Number: Exhibit Number: Control Number: Hard Drive #1 Label Information [Not Available ] Hard Drive #2 Label Information [Not Available ] Manufacturer: Manufacturer: Model: Model: Serial Number: Serial Number: Capacity: Cylinders: Capacity: Cylinders: Heads: Sectors: Heads: Sectors: Controller Rev. Controller Rev. IDE 50 Pin SCSI IDE 50 Pin SCSI 68 Pin SCSI 80 Pin SCSI Other 68 Pin SCSI 80 Pin SCSI Other Jumper: Master Slave Jumper: Master Slave Cable Select Undetermined Cable Select Undetermined Hard Drive #1 Parameter Information DOS FDisk PTable PartInfo Linux FDisk SafeBack EnCase Other: Capacity: Cylinders: Heads: Sectors: LBA Addressable Sectors: Formatted Drive Capacity: Volume Label: Partitions Name: Bootable? Start: End: Type: Hard Drive #2 Parameter Information DOS FDisk PTable PartInfo Linux FDisk SafeBack EnCase Other: Capacity: Cylinders: Heads: Sectors: LBA Addressable Sectors: Formatted Drive Capacity: Volume Label: Partitions Name: Bootable? Start: End: Type: Hard Drive Evidence Worksheet Page 1 of 2 46

FORENSIC EXAMINATION OF DIGITAL EVIDENCE: A GUIDE FOR LAW ENFORCEMENT Image Archive Information Archive Method: Direct to Tape NTBackup Tar Other :* Compressed? Attach appropriate worksheet for backup method used. Tape Type: DAT 24 Dat 40 DLT * Other *: Number Used: *Requires Lab Director Approval Analysis Platform Information Operating Systems Used: DOS Windows Mac *nix Other: Version: Analysis Software Base: I-Look EnCase DOS Utilities *nix Utilities Other:* Version: Restored Work Copy/Image Validated: Yes No List of utilities used other than base Utility Version Purpose Analysis Milestones Milestone Remarks Initials Run Anti-Virus Scan Full File List with Meta Data Identify Users/Logons/ISP Accounts, etc. Browse File System Keyword/String Search Web/E-mail Header Recovery Recover & Examine Free/Slack Space Examine Swap Unerase/Recover Deleted Files Execute Programs as Needed Examine/Recover Mail/Chat Crack Passwords Hard Drive Evidence Worksheet Page 2 of 2 47

Page 1 and 2: APR. 04 U.S. Department of Justice

Page 3 and 4: APR. 04 Forensic Examination of Dig

Page 5 and 6: Foreword Developments in the world

Page 7 and 8: Technical Working Group for the Exa

Page 9 and 10: Michael Finnie Forensic Specialist

Page 11 and 12: Contents Foreword . . . . . . . . .

Page 13 and 14: SPECIAL REPORT / APR. 04 Examinatio

Page 15 and 16: SPECIAL REPORT / APR. 04 ongoing tr

Page 17 and 18: Chapter 2. Evidence Assessment Prin

Page 19 and 20: FORENSIC EXAMINATION OF DIGITAL EVI

Page 21 and 22: Chapter 3. Evidence Acquisition Pri


Page 25 and 26: SPECIAL REPORT / APR. 04 ■ File c

Page 27 and 28: SPECIAL REPORT / APR. 04 ■ Analyz

Page 29 and 30: SPECIAL REPORT / APR. 04 During the

Page 31 and 32: Appendix A. Case Examples The follo







Page 46 and 47: Appendix B. Glossary The following


Page 50 and 51: SPECIAL REPORT / APR. 04 Computer E

Page 54 and 55: SPECIAL REPORT / APR. 04 Removable

Page 56 and 57: Appendix D. Examples of Request for




Page 64 and 65: Appendix F. Technical Resources Lis











Page 86 and 87: SPECIAL REPORT / APR. 04 High Techn

Page 88 and 89: Appendix H. List of Organizations T

Page 90 and 91: About the National Institute of Jus

forensic

digital

examination

enforcement

laboratory

analysis

forensics

electronic

investigator

encase

Forensic Examination of Digital Evidence

Delete template?

Save as template ?