Do's and Don'ts
Computer based evidence is valuable evidence and it should be treated in the same manner as traditional forensic evidence - with respect and care. If the appropriate computer forensic methods and procedures are not adopted from the outset, the investigation can be compromised before it begins. The following details the do's and don'ts that should be adhered to when an internal incident occurs. These are best practice guidelines and can differ from one case to another.
For example the suspect employee may have access to several machines that may have different operating systems (therefore the process of 'turning off' the machine differs). If the machine is networked then powering down the machine(s) or pulling the plug may lose vital information such as computer network connections that are in place, running processes on the machine, crucial volatile evidence in Random Access Memory (RAM) such as pictures, webpages or the possible retrieval of passwords for an encrypted volume on the hard disk drive. The circumstances in each case will be different and the various approaches from the computer forensic team can change depending on these circumstances.
You can download eMag's do's and don'ts guide by clicking here