Proper Procedure
It is important to follow proper procedure when examining a suspect machine. This chapter covers specific details on the proper procedure to follow when collecting, seizing, and protecting evidence.
Shutting Down the Computer
At one time it was recommended that the first step to analyzing a computer was to shut it down. However, it soon became apparent that one could lose valuable evidence found in running processes or memory. It also may be the case that the computer is using hard drive encryption. If you simply shut the system down, you may not be able to get back into the system. Before you shut the system down, at a minimum, you need to see what is currently running on the computer. Remember, you want to touch it as ...
Get System Forensics, Investigation, and Response, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
