2 On-Scene Digital Forensics Tips to Follow to Secure Computers for Forensic Analysis

Any decision you make when it comes to securing digital evidence on scene has the power of making or breaking your department’s ability to recover evidence and build a case. This article suggested by a Elijaht digital forensics investigator focuses on practices used for securing a computer, particularly the ones that are powered ON and probably encrypted.

  1. The computer is ON and accessible

The conventional way to secure the evidence is to unplug the device from the power source. This is done in order to avoid any unanticipated changes to data that may take place during a normal shutdown. But, the rise in the use of data encryption enforces to change the protocol by a tad bit amount. If the system is ON and accessible, then a few cursory checks need to be performed before encryption before you do anything else. If the hard drive is encrypted, then the data present on the drive is inaccessible to a forensic examiner with no proper password. So, if the system is ON, accessible and encrypted, you have the chance to access the data on the drive that can be lost if you simply unplug the device. If you find the device encrypted, then consult a professional forensic examiner who can conduct a field analysis of the device.

  1. Finding if the data is encrypted

To detect full disk encryption on a system that is ON is easy as determining the OS and versions of those OS that can fully support the full disk or full volume encryption schemes such as Windows BitLocker full volume encryption. This very feature can be found on most modern version of Windows and can be easily enabled by default on specific clean installs of Windows 8.1 Pro and higher. In order to check Windows BitLocker, you need to view the list of computer’s hard drives. Go to Start > Computer or File Explorer. Then, check the list of storage media connected to the computer. The BitLocked drive bears a closed LOCK through the icon.

Pay close attention to the volume names. The presence of volume names like CRYPT, VAULT, LOCKED act as a clue that volume level encryption exists. If BitLocker is ruled out, then seek for other encryption tools.

  1. Check your Desktop, closely inspect all desktop icons. Look out for programs named VeraCrypt, PGP, BestCrypt, TrueCrypt or FreeOTFE.
  2. Inspect your System Trap for seeking icons related to FreeOTFE.
  3. Inspect the Program List for apps which are capable of providing encryption. Begin from Start > Programs or Program Files folder in File Explorer. Seek names like VeraCrypt, PGP, Jettico, BestCrypt, Protector, Kremlin, Shredder, and anything that says Encrypt or Crypt. These programs signify having encrypted drive or volume.

Leave a Reply

Your email address will not be published. Required fields are marked *