Very Important Rules
of digital forensics
·
Rule 1. An
examination should never be performed on the original media.
·
Rule 2. A copy is
made onto forensically sterile media. New media should always be used if
available.
·
Rule 3. The copy
of the evidence must be an exact, bit-by-bit copy. (Sometimes referred to as a
bit-streamcopy).
·
Rule 4. The
computer and the data on it must be protected during the acquisition of the
media to ensure that the data is not modified. (Use a write blocking device
when possible)
·
Rule 5. The
examination must be conducted in such a way as to prevent any modification of
the evidence.
·
Rule 6. The chain
of the custody of all evidence must be clearly maintained to provide an audit
log of whom might have accessed the evidence and at what time.
