Scientific Working Group on Digital Evidence



Similar documents
Scientific Working Group on Digital Evidence

Best Practices for Computer Forensics

SWGDE Minimum Requirements for Quality Assurance in the Processing of Digital and Multimedia Evidence

1. Redistributions of documents, or parts of documents, must retain the SWGIT cover page containing the disclaimer.

1. Redistributions of documents, or parts of documents, must retain the SWGIT cover page containing the disclaimer.

LO5: Understand commercial circuit manufacture

Whitepaper. Mag EraSURE : the Cost-effective Solution for Securely Erasing Magnetically Recorded Data. Degausser

INTEL SOFTWARE LICENSE AGREEMENT (OEM / IHV / ISV Distribution & Single User)

END USER LICENSE AGREEMENT ( EULA )

END USER LICENSE AGREEMENT

Copyright Sagicor Life Insurance Company. All rights reserved.

North Carolina State University Emergency Facilities Closure Checklist- Part I


Software License Agreement

BUSINESS ASSOCIATE AGREEMENT

2-3 SAS/SATA II HDD Canister USER S MANUAL XC-23D1-SA10-0-R. Document number: MAN A

H.W. Wilson General Database License Agreement

Start Here Series. All-in-One Printer. Print Copy Scan. Includes Information on the: ESP 3250 All-in-One Printer ESP 3260 All-in-One Printer

Columbus Police Division Directive. I. Definitions. May 15, REVISED. Division Computer Systems

How To Read Memory Chips From A Cell Phone Or Memory Chip

UK Vendor Website - Terms of Use Agreement

Installation Instructions

HIPAA BUSINESS ASSOCIATE AGREEMENT

BroadBand PowerShield. User Manual

data recovery specialists

Oracle Field Service Cloud SmartCollaboration Administration Panel. Release 4.5

Mercury Helios 2 ASSEMBLY MANUAL & USER GUIDE

The Clean Up of Clandestine Drug Lab Sites in Minnesota

TRANSLATOR INSTALLATION AND OPERATIONS MANUAL KEYBOARD AND MOUSE CONVERTER Stancliff Road Phone: (281)

MEDIATECH APPLICATION

THE BUSINESS COUNCIL OF WESTCHESTER Website & Internet Services Terms And Conditions of Use

ELECTRICAL CONTRACTORS THE UNIVERSITY OF TENNESSEE KNOXVILLE, TENNESSEE SECTION PAGE 1

Hard Disk Drive (HDD)

Long Island IVF Terms and Conditions of Use

Technical Help Desk Terms of Service

USERS SHOULD READ THE FOLLOWING TERMS CAREFULLY BEFORE CONSULTING OR USING THIS WEBSITE.

OPEN DATA CENTER ALLIANCE SM USAGE MODEL: E-DISCOVERY AND FORENSICS

This policy is not designed to use systems backup for the following purposes:

Evaluation Board User Guide UG-127

iosafe Solo External Hard Drive

AGREEMENT AND TERMS OF USE

Cisco Customer Support

ANI-64S-xRU. Single Section Wall Cabinet INSTRUCTION MANUAL

Copyright 2006 Quality Excellence for Suppliers of Telecommunications Forum

Destroying Flash Memory-Based Storage Devices (draft v0.9)

We reserve the right to make technical changes.

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

MEMBERSHIP AGREEMENT OF HEALTHCARE SERVICES PLATFORM CONSORTIUM RECITALS

SEMETS3-68 Performing engineering software configuration management

Cash Letter Deposit Service Guide

Appendix. 1. Scope of application of the user evaluation license agreement

DATA RECOVERY SOLUTIONS EXPERT DATA RECOVERY SOLUTIONS FOR ALL DATA LOSS SCENARIOS.

Oracle Database. How To Get Started. April g Release 2 (10.2) for or IBM z/os (OS/390) B

End-User Software License Agreement

Data Recovery from Solid-State Drives

WEBSITE DEVELOPMENT STANDARD TERMS AND CONDITIONS

Gibson Dark Fire System Quick Start

Business Associate Agreement

EPSON Preferred. Priority Technical Support. Toll-Free Phone Number. Security and Peace of Mind. On-Site Repair

Solid State Drive ssd.supertalent.com

Source: data- loss

By placing an order with International Checkout Inc. and / or using its website, you agree and are bound to the Terms & Conditions below.

SECTION VIDEO SURVEILLANCE SYSTEMS INFRASTRUCTURE

Canon USA, Inc. WEBVIEW LIVESCOPE SOFTWARE DEVELOPMENT KIT DEVELOPER LICENSE AGREEMENT

Flobo Hard Disk Repair User guide

BMDW House Rules Date: April 5, Bone Marrow Donors Worldwide House Rules approval by the BMDW Editorial Board, April 5, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Quality Assurance Provisions

Out-of-box comparison between Dell and HP blade servers

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

THOMSON REUTERS (TAX & ACCOUNTING) INC. FOREIGN NATIONAL INFORMATION SYSTEM TERMS OF USE

WEBSITE TERMS OF USE

MOTOROLA MOBILITY INC. LIMITED GLOBAL WARRANTY MOTOROLA TABLET COMPUTER

CENTRAL SAVINGS BANK BUSINESS INTERNET BANKING AGREEMENT

Use of the Product requires the purchase of HotDocs User software. The latest version of HotDocs is available at

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) support@max.md Page 1of 10

Chain of evidence refers to the continuity of custody of material and items collected as evidence.

COMPLIANCE ALERT 10-12

ecatholic Payments Terms of Service Agreement

Virginia Commonwealth University School of Medicine Information Security Standard

Vendor Requirements and Compliances

Infor LN Financials User Guide for Accounts Receivable

State of Washington Department of Transportation Notice to Consultants Evaluate Risk-Based Asset Management Systems for WSDOT

Transcription:

Scientific Working Group on Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in any judicial, administrative, legislative or adjudicatory hearing or other proceeding (including discovery proceedings) in the United States or any Foreign country. Such notification shall include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; 3) subsequent to the use of this document in a formal proceeding please notify SWGDE as to its use and outcome; 4) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Notifications should be sent to secretary@swgde.org. It is the reader s responsibility to ensure they have the most current version of this document. It is recommended that previous versions be archived. Redistribution Policy: SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met: 1. Redistribution of documents or parts of documents must retain the SWGDE cover page containing the disclaimer. 2. Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents. 3. Any reference or quote from a SWGDE document must include the version number (or create date) of the document and mention if the document is in a draft status. Requests for Modification: SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of the response: a) Submitter s name b) Affiliation (agency/organization) c) Address d) Telephone number and email address e) Document title and version number f) Change from (note document section number) g) Change to (provide suggested text where appropriate; comments not including suggested text will not be considered) h) Basis for change Page 1 of 8

Scientific Working Group on Intellectual Property: Unauthorized use of the SWGDE logo or documents without written permission from SWGDE is a violation of our intellectual property rights. Individuals may not misstate and/or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material and/or curriculum vitae. Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE. Page 2 of 8

Scientific Working Group on 1. 2. 3. 4. 5. 6. 7. 8. Table of Contents Purpose... 4 Scope... 4 Limitations... 4 Evidence Collection of Known Damaged Magnetic Media... 4 4.1 Water Damage... 5 4.2 Dropped... 5 4.3 Fire Damage... 5 4.4 Unknown Drive Failure... 5 4.5 Broken Pieces... 6 Qualifications for a Technician Performing for Media Recovery... 6 Evidence Packaging /Transport... 6 Additional Guidance... 6 References... 7 Page 3 of 8

1. Purpose Scientific Working Group on The purpose of this document is to describe the best practices for handling magnetic media hard drives when the data cannot be accessed via the guidelines provided in the SWGDE Best Practices for Computer Forensics. 2. Scope This document provides basic information on the handling of damaged magnetic media and the expectations of the technician responsible for media recovery. The intended audience is examiners in a cleanroom lab setting and personnel who collect digital evidence in the field. This document is not intended to be used as a step-by-step guide for conducting data recovery on magnetic media nor should it be construed as legal advice. 3. Limitations This document does not cover all digital devices that may contain electronically stored information (e.g., solid-state drives, flash media, and optical media). This document only discusses those devices currently available at the time of writing. Emerging technologies will be addressed in future revisions. Hard drive data recovery techniques should only be conducted by properly trained personnel. Performing traditional computer forensic imaging techniques on a failed or failing hard drive may cause evidentiary data to be destroyed. Traditional computer forensic examiners should never open the drive chassis cover or attempt to disassemble the original evidence. 4. Evidence Collection of Known Damaged Magnetic Media General guidelines concerning the collection and handling of known damaged magnetic media is provided below. For all damaged media consider the following: The technician responsible for media recovery should consult with the investigator to determine the details of the case and potential scenarios where recovery services are required. With any evidence being submitted for recovery service, include a cover sheet indicating the type of damage (if known). This is imperative so once the recovery examiner accepts the exhibit, immediate actions are taken to mitigate possible continuing damage. Occasionally, there may be a need to conduct traditional forensic processes on media, e.g. DNA, latent prints, etc. The processes are case dependent and should be discussed with the investigator to determine the need for such processing as well as the order in which the processes should be performed. Page 4 of 8

4.1 Water Damage Scientific Working Group on If a hard drive was recovered from water or other liquids, DO NOT attempt to power. Shipping of water damaged media: If the drive is known to have been submerged for 24 hours or less at a depth of 2 feet or less, DO NOT package it in the original liquid. Package the drive in an anti-static bag with desiccant gel packs and ensure the drive is protected on all sides by at least 3 inches of padding. If the drive has been submerged for more than 24 hours and/or at a depth of greater than 2 feet, DO package the drive in the same liquid in which it was found (unless it was a biohazard or dangerous substance). Water damaged items need to be shipped to the recovery service immediately. Additionally, a notification should be made to the technician responsible for media recovery. If restrictions and/or regulations prevent shipping in the manner described above, contact the recovery examiner for other options. 4.2 Dropped If a hard drive was dropped or known to have fallen, DO NOT power-on the drive. With any dropped evidence being submitted for recovery service, include a cover sheet indicating that the drive has been dropped and whether or not the drive was known to have been powered on at the time of the drop. 4.3 Fire Damage If a hard drive was in a fire that was extinguished with water, package the drive in anti-static bag with silica gel packs and ensure the drive is protected on all sides by at least 3 inches of padding. Once the exhibit is packaged, ship as soon as possible and notify the technician responsible for media recovery. If a hard drive was in a fire that was extinguished on its own and/or reached a temperature of 150 Fahrenheit or more then DO NOT power-on the drive. 4.4 Unknown Drive Failure Certain circumstances may arise when a drive is collected into evidence and shows no physical signs of damage. However, once powered on, the drive starts clicking or makes a musical type tone. These are indications of drive failure and the drive should be immediately powered-off and sent to the technician responsible for media recovery. If the drive fails to power-on, or there are burn marks on the PCB, then the drive should be sent to the technician responsible for media recovery. Page 5 of 8

4.5 Broken Pieces Scientific Working Group on If the hard drive has any pieces broken, attempt to recover as many pieces as possible and send all recovered pieces with the drive to the technician responsible for media recovery. 5. It is especially important to recover any electronic components that belong to the PCB. Attempt to recover and keep intact any labels or other components with identification markings. Qualifications for a Technician Performing for Media Recovery The following are basic qualifications for a technician performing media recovery: 6. 7. Meets SWGDE/SWGIT Guidelines & Recommendations for Training in Digital & Multimedia Evidence. A technician performing media recovery should have experience and/or training that culminate in a competency in all of the following areas: o Advanced imaging techniques applicable to the recovery of data hard drives with problematic sectors. o Advanced soldering techniques applicable to hard drive circuitry, e.g. Surface Mount Technology (SMT). o Cleaning, repairing, and replacing of hard drive internals to include the head stack assembly (HSA), the spindle motor, and the transplanting of platters. o Accessing, manipulating, and correcting hard drive firmware. o Disk imaging on failed or failing media and data reconstruction with accordance to the SWGDE Best Practices for Computer Forensics. Evidence Packaging /Transport Magnetic media damaged from water, fire, and/or blunt force impact should be packaged in accordance to the recommendations outlined in Section 5 of this document. Refer to SWGDE Best Practices for Computer Forensics. External drives should be packaged with all components (power supply, PCB boards, special connectors, etc.). Additional Guidance Refer to SWGDE Best Practices for Computer Forensics for guidance on equipment preparation, acquisition, analysis, documentation, and reporting. Page 6 of 8

8. References Scientific Working Group on The following SWGDE documents are referenced in this document: SWGDE Data Integrity within Computer Forensics SWGDE/SWGIT Guidelines & Recommendations for Training in Digital & Multimedia Evidence Access the most current version of these documents at www.swgde.org. Page 7 of 8

Scientific Working Group on History Revision Issue Date Section History 1.0 01/16/2014 All Original working draft created 1.0 02/06/2014 All Formatting and technical edit. 1.0 06/06/2014 All 1.0 06/11/2014 All 1.0 08/28/2014 None 1.0 09/05/2014 All N/A N/A All Voted for release as a Draft for Public Comment. Formatting and technical edit completed for release as a Draft for Public Comment. No changes made; voted to publish as an Approved document. Section 3 (Definitions) removed from document and added to Glossary. Formatting and technical edit performed for release as an Approved document. Replaced the term, Data Recovery Examiner, with the description, technician responsible for/performing media recovery, throughout the document. No content changes. (01/15/2015) Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information