Information Technology Reference
In-Depth Information
Beginning. with. your. records. management. policy,. you.
should.have.some.record.or.log.that.illustrates.your.or.your.
organization's.compliance..It.should.document.how.you.fol-
low.the.correct.records.management.procedures,.where.and.
how.the.data.are.preserved,.and.your.process.for.archiving.
or. destroying. the. data. according. to. your. documented. and.
audited.schedules.
Next,.you.need.to.carefully.log.any.and.all.activities.under-
taken. to. locate,. acquire,. and. secure. any. relevant. electronic.
evidence..Using.the.samples.we.give.you.in.Appendix.B,.or.
something. similar. that. is. appropriate. for. your. organization,.
you.should.carefully.document.all.of.the.following:
•. The.owner(s).and.custodian(s).of.the.data.in.question
•. The.physical.and.logical.locations.of.the.data
•. The.tools.and.methods.used.to.acquire.the.data,.includ-
ing.names.and.versions.of.acquisition.applications.and.
types.of.hashes.or.other.integrity.assurance.tools.used
•. The.time.and.date.of.acquisition
•. The.movement.of.data.to.or.from.any.type.of.storage.
(chain.of.custody),.including.who.moved.it.and.why
•. The.security.procedures,.both.physical.and.logical,.used.
to.ensure.the.data.could.not.have.been.compromised.
or.accessed.by.anyone.without.the.correct.authority
•. The.physical.and.logical.medium.on.which.the.data.is.
stored.or.transferred.to.or.from,.including.the.name.or.
type.of.media.and.a.unique.identiier.such.as.a.serial.
number,.model.number,.or.label
If.you.are.investigating.or.analyzing.electronic.devices.or.
systems.to.ind.relevant.evidence,.you.should.also.log.every.
step. of. your. investigative. process.. You. should. include. the.
time.and.date.of.each.part.of.the.investigation.as.well.as.the.
tools.you.used.and.the.results.of.your.analysis.
There.is.an.easy.way.to.do.this.if.you.are.using.the.Windows.
operating.system..Every.Windows.OS.included.a.simple.text.
application.called.“notepad.”.Start.up.notepad.and.create.a.
