Evidence collection

• Q: When evidence is processed in the lab, do we work on the evidence or on a copy of the evidence?
• A: Only on a copy of the evidence.
• Q: Before booting a computer with a diskette, what critical item should be checked?
• A: CMOS settings to ensure the diskette boots first. If you boot from the hard drive, you will corrupt or lose evidence. And yes, some areas of the world are still using diskettes so I’m keeping such items in this newer version of the book.
• Q: Who should be the first person sitting with you at the victim’s machine?
• A: A system administrator who is an expert on that system type.
• Q: What do you want to obtain from a dot matrix or ...