IACIS



 

 

 

 

 

International Association of Forensic Computer Examiners (IACIS)

Forensic Examination Procedures    Gale IT 
Floppy Disk Examination   
Limited Examinations

Gale IT provides IACIS certified professionals trained in the forensic science of seizing and processing computer systems.  Our IACIS® certified team includes former local, state & federal law enforcement officers and licensed private investigators with unrivaled experience and credibility.   

  • Large-scale investigation capabilities
    Comprehensive enterprise wide incident response, information auditing and forensic discovery. EnCase® Enterprise Edition securely enables consultants to identify, preview, acquire and analyze digital media anywhere on a wide-area network. This remote capability greatly reduces investigation time and expenses.

  • Consistent policies and procedures
    Gale IT maintains state-of-the-art evidence handling and lab policies, procedures and methodologies based on court-tested experience and expertise.

  • Court-tested methodologies
    Methodologies are tested daily in court, and have been successful in IACIS, Daubert or Frye analysis. Investigators employ these proven, court-tested techniques to ensure their investigations are of the highest possible quality.

What is IACIS?

IACIS® incorporates forensic methods for searching seized computers in accordance with the rules of evidence and laws of search and seizure.

This includes evidence that has been hidden, concealed, encrypted, protected with passwords, software time-bombs, Trojan horses, tsr's or other destruction devices that could destroy either the evidence, the physical computer, or both.

IACIS® involves specialized software, evidence searching tools and programs that are only available to IACIS trained law enforcement professional.

IACIS® members demonstrate and maintain the highest standards of ethical conduct.

IACIS® members must always:

  • Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved.
  • Thoroughly examine and analyze the evidence in a case
  • Conduct examinations based upon established, validated principles.
  • Render opinions having a basis that is demonstratively reasonable.
  • Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.
  • Never misrepresent credentials, education, training, experience or membership status.
  • Advise and provide assistance to all qualified IACIS® forensic examiners, regardless of agency affiliation.

Back to top

Forensic Examination Procedures

These procedures are established as the IACIS® Forensic Examination standards to ensure that competent, professional forensic examinations are conducted by IACIS® members. We promote and require that these standards be used by IACIS® members.

It is acknowledged that almost all forensic examinations of computer media are different and that each cannot be conducted in the exact same manner for numerous reasons, however there are three essential requirements of a competent forensic examination. These are:

  • Forensically sterile examination media must be used.
  • The examination must maintain the integrity of the original media.
  • Printouts, copies of data and exhibits resulting from the examination must be properly marked, controlled and transmitted.

Back to top

Hard Disk Examination 

The following are the IACIS® recommended procedures for conducting a complete examination of computer Hard Disk Drive (HDD) media:

  • Forensically sterile conditions are established.  All media utilized    during the examination process is freshly prepared, completely wiped of non-essential data, scanned for viruses and verified before use.

  • All forensic software utilized is licensed to, or authorized for use  by, the examiner and/or agency/company.

  • The original computer is physically examined.  A specific description of the hardware is made and noted.  Comments are  made indicating anything unusual found during the physical examination of the computer.

  • Hardware/software or other precautions are taken during any copying or access to the original media to prevent the transference of viruses, destructive programs, or other inadvertent writes to/from the original media.  We recognize that because of hardware and operating system limitations and other circumstances, this may not always be possible.

  • The contents of the CMOS, as well as the internal clock are checked and the correctness of the date and time is noted.  The time and date of the internal clock is frequently very important in establishing file creation or modification dates and times.

  • The original media is not normally used for the examination.  A bitstream copy or other image of the original media is made.  The bitstream copy or other image is used for the actual examination.  A detailed description of the bitstream copy or image process and identification of the hardware, software and media is noted.

  • The copy or image of the original HDD is logically examined and a description of what was found is noted.

  • The boot record data, and user defined system configuration and operation command files, such as, the CONFIG.SYS file and the AUTOEXEC.BAT file are examined and findings are noted.

  • All recoverable deleted files are restored.  When practical or possible, the first character of restored files are changed from a HEX E5 to “-”, or other unique character, for identification purposes.

  • A listing of all the files contained on the examined media, whether they contain potential evidence of not, is normally made. 

  • If appropriate, the unallocated space is examined for lost or hidden data.

  • If appropriate, the “slack” area of each file is examined for lost or hidden data.

  • The contents of each user data file in the root directory and each sub-directory (if present) are examined.

  • Password protected files are unlocked and examined.

  • A printout or copy is made of all apparent evidentiary data.  The file or location where any apparent evidentiary data was obtained is noted on each printout.  All exhibits are marked, sequentially numbered and properly secured and transmitted.

  • Executable programs of specific interest should be examined.  User data files that could not be accessed by other means are examined at this time using the native application.

  • Properly document comments and findings

Back to top

Floppy Disk Examination 

The following are the IACIS® recommended procedures for conducting a complete examination of a Floppy Diskette (FD) or similar media

  • Forensically sterile conditions are established.  All media utilized during the examination process is freshly prepared, completely wiped of non-essential data, scanned for viruses and verified before use.
     
  • All forensic software utilized is licensed to, or authorized for use by, the examiner and/or agency/company.
     
  • The media is physically examined.  A specific description of the media is made and noted.  The media is marked for identification

  • Hardware/software precautions are taken during any copying process or access to the original media and examination to prevent the transference of viruses, destructive programs, or other inadvertent writes to/from the original FD or to/from the examination equipment.

  • The write-protect capability of the floppy disk drive (FDD) on the examining machine is tested.

  • A duplicate image of the original write protected FD is made to another FD.  The duplicate image is used for the actual examination. A detailed description of the process is noted.

  • The copy of the examined FD is logically examined and a description of what was found is indicated.  Anything unusual is noted.

  • The boot record data, and user defined system configuration and operation command files (if present) are examined and findings are noted.

  •  All recoverable deleted files are restored.  When practical or possible, the first character of restored files are changed from a HEX E5 to “-”, or other unique character, for identification purposes.

  • The unallocated space is examined for lost or hidden data

  • The “slack” area of each file is examined for lost or hidden data.

  • The contents of each user data file in the root directory and each sub-directory (if present) are examined.

  •  Password protected files are unlocked and examined.

  • If the FD holds apparent evidentiary data that is to be utilized, a listing of all the files contained on the FD, whether they contain apparent evidentiary data or not, is made.  The listing will indicate which files were printed, copied or otherwise recovered.

  • A printout or copy is made of all apparent evidentiary data.  The file or location where any apparent evidentiary data was obtained is noted on each printout.  All exhibits are marked, sequentially numbered and properly secured and transmitted.

  • Executable programs of specific interest should be examined.  User data files that could not be accessed by other means are examined at this time using the native applications.

  • Properly document comments and findings.\

Back to top

Limited Examinations

In many instances a complete examination of all of the data on media may not be authorized, possible, necessary or conducted for various reasons. In these instances, the examiner should document the reason for not conducting a complete examination. Some examples of limited examinations would be:

  • The scope of examination is limited by the search warrant or the courts.
  • The equipment must be examined on premises. (This may require the examination of the original media. Extreme caution must be used during this type of examination.)
  • The media size is so vast that a complete examination is not possible.
  • The weight of the evidence already found is so overwhelming that a further search is not necessary
  • It is just not possible to conduct a complete examination because of hardware, operating systems or other conditions beyond the examiner’s control.

Back to top

What can we do for you?
Contact us here

Our IACIS team is comprised of former Federal, State, Local and International Law Enforcement professionals who are experts  in dealing with computer evidence in accordance with the laws of search and seizure, and the rules of evidence.

 

 

Home • IACIS • Services • Contact Us
Gale Information Technology,  Washington, DC