ASTM_E_2763_-_10.pdf

Designation:E276310Standard Practice forComputer Forensics1This standard is issued under the fixed designation E2763;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon()indicates an editorial change since the last revision or reapproval.1.Scope1.1 This practice describes techniques and procedures forcomputer forensics within the context of a criminal investiga-tion.1.1.1 This practice can be applicable to civil litigation.1.2 This practice describes seizing possible evidence,proper evidence handling,digital imaging,forensic analysis/examination,evidence-handling documentation,and reporting.1.3 This practice is not all inclusive and does not containinformation relative to specific operating systems or forensictools.1.4 The values stated in SI units are to be regarded asstandard.No other units of measurement are included in thisstandard.1.5 This standard does not purport to address all of thesafety concerns,if any,associated with its use.It is theresponsibility of the user of this standard to establish appro-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2.Referenced Documents2.1 ASTM Standards:2E2678 Guide for Education and Training in Computer Fo-rensics2.2 SWGDE Standards:3Recommended Guidelines for Validation Testing3.Significance and Use3.1 The purpose of this practice is to describe techniquesand procedures for computer forensics in regard to evidencehandling,computers,digital imaging,and forensic analysis andexamination.3.2 The examiner should be trained in accordance withGuide E2678.3.3 Individuals not trained in proper digital evidence proce-dures should consult with an appropriate specialist beforeproceeding.3.4 When dealing with technology outside your area ofexpertise,consult with an appropriate specialist before pro-ceeding.4.Seizing Evidence4.1 General guidelines concerning the seizing of evidenceare:4.1.1 Consult with the investigator or responsible party todetermine the necessary equipment to take to the scene.4.1.2 Review the legal authority to seize the evidence,ensuring any restrictions are noted.If necessary during theexecution of the seizure,obtain additional authority for evi-dence outside the scope of the search.4.1.3 When it is impractical to remove the evidence fromthe scene,the evidence items shall be copied or imagedaccording to organizational policy.4.1.4 All suspects,witnesses,and bystanders shall be re-moved from the proximity of digital evidence to ensure theintegrity of potential evidence.4.1.5 Solicit information from potential suspects,witnesses,system administrators,and so forth,to ascertain knowledge ofthe systems to be seized(for example,password(s),operatingsystem(s),screen names,remote access users,and E-mailaddresses).4.1.6 The scene shall be searched systematically and thor-oughly for evidence.Searchers shall be trained to recognize thedifferent types of evidence.Check for additional media thatmay be attached to the computer system.5.Evidence Handling5.1 Document the scene,which can include:taking clear,detailed photographs(of the computer screen,of the front andback of the computer,and of the area around the computer tobe seized)and making a sketch/notation of the computerconnections and surrounding area,or both.5.2 If the computer is turned off,DO NOT turn on thecomputer.1This practice is under the jurisdiction of ASTM Committee E30 on ForensicSciences and is the direct responsibility of Subcommittee E30.12 on Digital andMultimedia Evidence.Current edition approved Aug.15,2010.Published September 2010.DOI:10.1520/E2763-10.2For referenced ASTM standards,visit the ASTM website,www.astm.org,orcontact ASTM Customer Service at serviceastm.org.For Annual Book of ASTMStandards volume information,refer to the standards Document Summary page onthe ASTM website.3Available from Scientific Working Group on Digital Evidence(SWGDE),http:/www.swgde.org/documents.Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Conshohocken,PA 19428-2959.United States1 5.2.1 Before powering down a computer,consider thepotential of encryption software being installed on the com-puter or as part of the operating system.If present,appropriateforensic methods should be used to capture the unencrypteddata and any volatile data that would be lost if the computer ispowered down.5.2.2 Be aware that storage devices may not be physicallyconnected and a proper search for wireless devices must beconducted.5.2.3 Assess the power needs for devices with volatilememory and follow organizational policy for the handling ofthose devices.5.2.4 Document the condition of the evidence,includingany preexisting damage.5.2.5 Appropriately document the connection of the exter-nal components.5.3 Stand-Alone Computer(Non-Networked):5.3.1 Disconnect all power sources by unplugging