Tips and Advice for Computer Forensic Beginners
Being a hardware intensive job, being a computer forensics investigator would require you to have a solid foundation of computer hardware, architecture and storage media. A computer forensic investigator grows in confidence and skill levels with the amount of experience gained. As far beginners are concerned, there are a few things you might want to keep a check on, in order to ensure that you do not falter at a later stage in the mission.
As a first step, ensure that you have defined the scope of the case correctly. You should figure out and anticipate the kind of equipment (i.e. Networks, computers, laptops, servers, servlets, storage devices etc.) that you might encounter in the case. This is important because you might want to carry some tools and software with you at the crime scene in order to start working on the case immediately. Therefore, if you do not wish to loose out on time, it is always better to carry all the equipment that you might need in order to start on the case right away.
Checking all possible sources of evidence that are important. This might sound an obvious exercise, but it is better done than said, especially when you are dealing with state of the art technological equipment. Ultra small storage devices, slim disks and a frighteningly large number of equipment makes searching for evidence an even more daunting task.
The task of looking out for evidence at all possible places becomes even more cumbersome when an intrusion or crime has been made over the network. All the peripherals and even the affected end systems should be checked. Checking out media and peripherals in and around the main system is also important. Keep on a constant lookout for undeleted files that might be hidden or put in external storage devices.
It is a good idea to hash devices and other data if the originals are needed to be given away to someone else for evidential purposes. This becomes all the more important in sensitive cases and it is a good idea to keep a copy of the originals with you or saved at a central sever.