Forensically sterile conditions are established. All media utilized during the examination process is freshly prepared, completely wiped of non-essential data, scanned for viruses and verified before use.
All forensic software utilized is licensed to, or authorized for use by, the examiner and/or agency/company.
The original computer is physically examined. A specific description of the hardware is made and noted. Comments are made indicating anything unusual found during the physical examination of the computer.
Hardware/software or other precautions are taken during any copying or access to the original media to prevent the transference of viruses, destructive programs, or other inadvertent writes to/from the original media. We recognize that because of hardware and operating system limitations and other circumstances, this may not always be possible.
The contents of the CMOS, as well as the internal clock are checked and the correctness of the date and time is noted. The time and date of the internal clock is frequently very important in establishing file creation or modification dates and times.
The original media is not normally used for the examination. A bitstream copy or other image of the original media is made. The bitstream copy or other image is used for the actual examination. A detailed description of the bitstream copy or image process and identification of the hardware, software and media is noted.
The copy or image of the original HDD is logically examined and a description of what was found is noted.
The boot record data, and user defined system configuration and operation command files, such as, the CONFIG.SYS file and the AUTOEXEC.BAT file are examined and findings are noted.
All recoverable deleted files are restored. When practical or possible, the first character of restored files are changed from a HEX E5 to “-”, or other unique character, for identification purposes.
A listing of all the files contained on the examined media, whether they contain potential evidence of not, is normally made.
If appropriate, the unallocated space is examined for lost or hidden data.
If appropriate, the “slack” area of each file is examined for lost or hidden data.
The contents of each user data file in the root directory and each sub-directory (if present) are examined.
Password protected files are unlocked and examined.
A printout or copy is made of all apparent evidentiary data. The file or location where any apparent evidentiary data was obtained is noted on each printout. All exhibits are marked, sequentially numbered and properly secured and transmitted.
Executable programs of specific interest should be examined. User data files that could not be accessed by other means are examined at this time using the native application.
Properly document comments and findings.
if anybody has any other good link to learn about forensics please post.....