Overview

  1. Prepare
  2. Secure and Seize
  3. Preserve
  4. Analyse
  5. Report

Preparation

Secure and Seize

Meta

Legality

Make sure your seizure is legal, and that you are authorised to perform the work.

Written permission, warrant, legal undertaking, etc...

Securing the Scene

Make sure the site is secure

Document Everything!

👆

Work journals, chain of custody forms, imaging forms, physical evidence (check-in, check-out), forensic reports

Device model, serial numbers, disk

Times

Hashes

Physical inspection

Sign-off

Chain of Custody

Overt vs Covert?

First Steps

  1. Secure the scene (don't let someone steal your evidence)
  2. Document the scene
  3. Check if the computer system is running

Pull The Plug?

Other Considerations

  • If you insert a USB, the system will write data to record the event

Acquisition