Home−Forensic data capture principles and steps

When you become one of professional computer forensic data recovery professionals, you will usually follow some basic principles to perform your computer forensic data capture cases. The following will be some general principles and steps you may use to dig the potential evidence.

Forensic data capture principles
Potential evidences can be discovered well by one knowledgeable professional computer forensic data capture expert identifying more possibilities that can be requested as possibly relevant evidence. The very basic and no.1 important principle for forensic computer expert is to protect the potential evidence. You must ensure that a subject computer system is carefully handled to ensure that:
* No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer;
* No possible computer virus is introduced to a subject computer during the analysis process;
* Handle the extracted and possibly relevant evidence properly and protect the evidence from later mechanical or electromagnetic damage;
* Make sure of one continuing chain of custody is established and maintained;
* Business operations are affected for a limited amount of time, if at all. Any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged.

Forensic data capture steps

1, Protects the subject computer system during the forensic data capture examination from any possible alteration, damage, data corruption, or virus introduction.

2, Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.

3, Recovers all (or as much as possible) of discovered deleted files.

4, Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system.

5, Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.

6, Analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called 'unallocated' space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as 'slack' space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data, but once again may be a possible site for previously created and relevant evidence).

7, Prints out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provides an opinion of the system layout, the file structures discovered, any discovered data and authorship information, any attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and appears to be relevant to the overall computer system examination.

8, Provides expert consultation and/or testimony, as required.

During the whole evidence-discovery process, SalvationDATA Data Copy King acts as one excellent forensic data capture tool and is used to detect the data, image the intact data to a good drive and finally wipe the data in the source drive to protect the data ultimately. For lost data, Data Compass plus HD Doctor can be used to retrieve 150% more data than other similar data recovery tools. meanwhile data copy king and data compass is a perfect complex to perform computer forensic data recovery for forensic data capture professionals