There are some things I need to know whenever a client calls me. Here are some of the questions I ask and why I ask them.
Before I get started, let me mention one thing – If you are an actual party in a law suit, it’s really better for your attorney to contact me rather than you yourself. Nothing personal – honest! It’s just better for both of us. Your attorney can explain why.What Kind of Media?
The first thing I want to know is what I’m going to be examining. Am I going to be looking at a hard drive? Thumb drive? CD’s or DVD’s? Camera? Cell phone? Among other things, the type of media I’m looking at effects what hardware I will need to use.
How Big and How Fast?
I’m not going to say it…ok, I’m going to say it. Size matters – at least when it comes to imaging hard drives. Actually, a hard drive’s size and speed together determine how long it will take to image that drive (which, in turn, determines cost to the client).
Now, I admit lots of people don’t know how large their hard drive is, and even fewer know its rotational speed. If the drive has already been removed from the computer, this information can usually be found on the label right on the outside of the disk.
If the drive is still in the computer, you can usually get the model number from the Windows Device Manager, and I can use that to lookup the drive’s specs.
Windows Device Manager
What Kind of Machine?
Is the drive in a workstation or a server? Workstations are generally easier. Taking a server offline to image the drive(s) means lost productivity, and someone’s not going to be happy about that. So, if it’s a server, I may be required to do what’s called a “Live” acquisition. This means different hardware, different procedures and more time.
Where‘s it Going Down?
Is the media going to be delivered to me or am I doing my acquisition on-site somewhere? And, if it’s on-site, is it a friendly location or hostile? I once had to image some computers that belonged to people who were not very happy about it, and I had to do it at their office. Oh, and the attorney who had hired me was “busy” that day and couldn’t go with me, so I was by myself. The imaging took about three hours. The entire time I was there, a mountainous biped named (I’m not kidding) Bubba stood about six inches from me and watched every move I made. Unsettling to say the least, but luckily I didn’t fry any drives or jab my screw driver through a motherboard. Everything went fine because I knew in advance the situation was going to be tense and I was prepared.
Super Noob or Leet Haxor?
I like to get an idea of how computer savvy the subject is. I also like to know whether the subject suspects they are being investigated or not. A more experienced computer user, or a person who knows they are being investigated, is more likely to hide or destroy evidence, and this changes how I approach my analysis.
What am I Looking For?
Finally, I need to know what I’m looking for – not just the type of files (e.g., email, documents, photos) but the nature of the information too (e.g., fraud, harassment, inappropriate use). This will impact the type of analysis I perform, how long it takes (a.k.a., cost) and the likelihood of success. Like I always say, looking for evidence is like trying to find a date: the difficulty of the search depends a lot on what you’re looking for (and what you’re willing to settle for).
Check back next week when I’ll be discussing social networks.