Sop of Digital Evidence Collection PDF

STANDARD OPERATING PROCEDURE OF
DIGITAL EVIDENCE COLLECTION

Digital Forensics Department, CyberSecurity Malaysia
Version 1.0
1st July 2013
Sarah Khadijah Taylor

Mohd Zabri Adil B Talib
CyberSecurity Malaysia SOP of Digital Evidence Collection
The purpose of this Standard Operating Procedure (SOP) is to provide generic guidance and suggested
process on collection of digital evidence. It was developed based on input from the Technical Working
Group, compilation of best available information, knowledge and field experience to provide guidance
to Malaysian law enforcement officers so that digital evidence collection activities are performed in a
consistent and standardized manner.
This SOP should be used as a reference. However, differences may exist between the procedures
referenced in this SOP and what is appropriate under field-specific conditions.
For the avoidance of doubt, the use of this SOP shall not in any way create, or be relied upon to give rise
to, any right in the user which may be enforceable at law in any matter whether civil or criminal.
Any products, manufacturers or organisations referenced in this SOP are presented for informational
purposes only and do not in any way constitute approval or endorsement by CyberSecurity Malaysia.
ii PUBLIC RELEASE
Technical Working Group for the SOP of Digital Evidence Collection
In September 2010, a technical working group was formed with the aim of discussing the best way of preserving
digital evidence at crime scene as well as to develop a standard process among the local law enforcement
agencies. The working group successfully delivered a mutual understanding among the law enforcement agencies
on investigating digital evidence related matters; however, it was never made into final draft.
This SOP is an enhancement from the drafted version developed then. The following names have not only made
the technical working group possible, but have also contributed knowledge and experience in investigating digital
related crimes.
Aisha Be Bt Abd Kadir Mohamad Syukri B Jamaluddin

Polis DiRaja Malaysia Suruhanjaya Komunikasi dan Multimedia
Malaysia
Azlina Bt Rasdi Nahra Bt Dollah

Jabatan Peguam Negara Jabatan Peguam Negara
Badius Zaman B Haji Ahmad Nazri B Mohamed

Suruhanjaya Komunikasi dan Multimedia CyberSecurity Malaysia
Malaysia
C. Vignesh Kumar Noorin Bt Baharuddin

Idham B Abd Ghani Nur Azimul Azami

Lailawati Bt Ali Raja Rozela Bt Raja Toran

Melissa Bt Mohd Akhir Sarah Khadijah Taylor

Jabatan Peguam Negara CyberSecurity Malaysia
Mohd Zabri Adil B Talib Syed Faisal B Syed Amir

CyberSecurity Malaysia Jabatan Peguam Negara
Mohd Ruzeiny B Kamaruzzaman Victor Sanjos

Jabatan Peguam Negara Polis DiRaja Malaysia
Mohd Kamarudin B Md Din Yusaini Amer B Abdul Karim

Polis DiRaja Malaysia Jabatan Peguam Negara
Mohamad Firham Efendy B Md Senan ZairulNahar B Zakaria

CyberSecurity Malaysia Suruhanjaya Komunikasi dan Multimedia
Malaysia
PUBLIC RELEASE iii

Table of Content
Contents
INTRODUCTION....................................................................................................................................................5
DIGITAL FORENSIC METHODOLOGY.................................................................................................................5
A. IDENTIFICATION...............................................................................................................................................6
B. COLLECTION....................................................................................................................................................8
B1. PREPARE...................................................................................................................................................9
B2. CONDUCT................................................................................................................................................10
B3. COLLECT.................................................................................................................................................11
B4. TRANSPORT............................................................................................................................................12
C. ANALYSIS........................................................................................................................................................13
E. PRESERVATION.............................................................................................................................................14
SPECIAL CONSIDERATION FOR DIGITAL EVIDENCE COLLECTION.............................................................15
CAN I PRE-ANALYZE EVIDENCE BEFORE I SEIZE/MAKE FORENSIC COPY? ….….…..….….…..….….…. 15
CAN I TENDER A COPY OF DIGITAL EVIDENCE INTO COURT?.........................….….…..….….…..….….….16
CAN I TENDER EVIDENCE IN A LOGICAL FORM INTO COURT?.........................….….…..….….…..….….…18

REFERENCE.......................................................................................................................................................19
APPENDIX A: Digital Evidence Collection Workflow.......................................................................20
APPENDIX B: Sample of Sketch Plan.......................................................................................................21
APPENDIX C: First Responder Flow Chart for computer.............................................................22
APPENDIX D: First Responder Flow Chart for Mobile Device.....................................................23
APPENDIX E: First Responder Flow Chart for CCTV........................................................................24
APPENDIX F: First Responder Flow Chart for Social Media & Internet Application..........25
APPENDIX G: First Responder Flow Chart for Server & Cloud Computing..........................26
APPENDIX H: Sample of Labelling Device & Sub Device....................................................................27
APPENDIX I: Sample of Sealing the Evidence.......................................................................................28
APPENDIX J: Sample of Seizure List.........................................................................................................29
APPENDIX K: Sample of Chain of Custody.............................................................................................30
APPENDIX L: WHAT-IS........................................................................................................................................31
GLOSSARY..........................................................................................................................................................37
iv PUBLIC RELEASE
INTRODUCTION
Digital evidence collection must be handled by following a proper process. This is important to ensure
that maximum data can be preserved and that the integrity of the exhibit is intact. Understanding the
digital forensic methodology enables the Digital Evidence First Responder (DEFR) to understand the
holistic view of conducting forensic on digital evidence.
DIGITAL FORENSIC METHODOLOGY

The following chart describes the methodology of conducting digital forensics related case:-
A. IDENTIFICATION
B. COLLECTION
C. ANALYSIS
D. PRESENTATION
E. PRESERVATION
Flow Chart 1: Digital Forensic Methodology
The methodology involves with 5 basic phases; Identification, Collection, Analysis, Presentation and
Preservation. Most of the time, DEFR shall involve with only three (3) phases of the Digital Forensics
Methodology; which are the Identification, Collection and Preservation phase. The next topic shall
describe the process involves in handling the digital evidence.
PUBLIC RELEASE 5
A. IDENTIFICATION
When a case involving digital device occurs, DEFR shall discuss with team members of the best strategy
to gather the evidence prior to set off to the premise. The DEFR shall come as early as possible to the
premise to preserve the evidence.
This phase, the Identification, is a phase where DEFR collects some preliminary information prior to
collecting the evidence. Preliminary information may help DEFR to strategize the process of collecting
the evidence, especially if the incidents happen at several locations.
In most cases, evidence that need to be collected varies from one case to another. For example, a web
related case may involve with collection of the web server and the database server, whereas a document
counterfeiting case may involve with the collection of a personal computer.
The following lists some of the questions that may guide DEFR in establishing the facts of the case:
Sample of Questions for Preliminary Information Gathering
WHAT • What types of crime is it? (Financial fraud, harassment, cyber terrorism, bribery)
• What are the resources needed? (People, equipment, budget)
• What are the needed documents? (Warrant, Seizure list, Chain of custody form)
• What is the IP address?
• Who owns the IP address?
WHO • Who are the people involve?

• Who are the IT personnel of the premise?
• Who are the top management of the company?
WHERE • Where is the location of the crime? Malaysia or cross border?

• Where is the database server?
WHEN • When did the crime happen?

• When did the investigating team first detect the crime?
HOW • How did the crime happen?
Table 1: Sample of questions for preliminary information gathering
6 PUBLIC RELEASE
The following flow chart detailed out the process involves in Identification phase.
A. IDENTIFICATION
A1. GATHER INFORMATION
Some helpful tips
• Methods to gather data of the location:

• Whois analysis
• GPS coordinate on photos
• Engage Telecommunication Provider for
phone number user registration details
• Method to gather data of the people:

• Google
• Pipl.com
• Social media
• Email header
• Phone number
A2. PRESERVE INFORMATION
Some helpful tips
• Convert the file into PDF format

(web page, email, etc)
A3. PRINT, SIGN AND DATED

(By the person who produces the information)
Flow Chart 2: Phase Identification
DEFR must be aware that some of the information gathered during this phase might be tendered into
court, for example, the web page that contained harassment messages and the Whois information.
Thus, it is necessary that all information gathered during this phase be documented or preserved.
Preserving the information is also important in order to conduct a smooth storyline to stakeholders. The
preserved information or the written document is best to be printed out, signed and dated by the person
who produces it.
PUBLIC RELEASE 7
B. COLLECTION
The next phase is to set off to the premise to collect the evidence. During collection phase, there are
several steps that a DEFR may follow. The process of collection is summarized in the following flow
chart:
B. COLLECTION
B1. PREPARE
B2. CONDUCT
B3. COLLECT
B4. TRANSPORT
Flow Chart 3: Phase Collection
The detailed explanation of the process of collection is described in the following paragraph.
8 PUBLIC RELEASE
B1. PREPARE
The following flow chart explains in detail the process involves in Prepare phase.
• During this phase, Team Leader shall conduct a briefing session

Plan the CSI and brainstorming session.
• Items to be briefed:
-- Introduce team members;
-- Purpose of raid;
-- Explain the committed offense, the related Act, the location of
the premise, the expected total numbers of occupier and IT
literacy of the suspect;
-- The strategy of the Crime Scene Investigation (CSI);
-- Evidence transportation & lodging;
-- Team member’s transportation & lodging.
• Ensure competent personnel are available during the CSI.
• Ensure that related documents are readily available.

Prepare document
• Example: Investigation Diary or journal, seizure list, and chain of
custody form.
• List of possible equipments to be brought:

Prepare equipment
-- Camera
-- Evidence labeling tool (markers, stickers, tie-on tagging)
-- Evidence packaging (anti-static bag, aluminum foil, bubble
wrapper, cardboard box)
-- Imaging tool
-- Pre-Analysis tool (EnCase, FTK)
-- Storage device to store acquired data
-- Power bank for your mobile phone
-- Tools, small pliers, wire cutters
-- Torch
• Synchronize your watch/ computer/ mobile phone with atomic
clock. You may use http://mst.sirim.my to synch your clock.
PUBLIC RELEASE 9
B2. CONDUCT
The following flow chart explains in detail the process involves in Conduct phase.
• Once you have arrived at the premise, identify wireless connections

Secure premise around the premise and the security features.
• Identify yourself and the purpose of the raid.
• Identify person-in-charge of the premise and everyone else in the
premise.
• Check all rooms in the premise and identify available digital
devices.
• Check as well the occupier’s vehicles.
• Move people away from the digital devices and power source.
• Identify technical person and interview him.

Identify evidence
• Identify potential evidence based on the facts of the case.
• Sketch these items in diary/journal for the purpose recreating/

Document premise conveying details of the scene to stakeholders:
-- The plan of the premise. Refer Appendix B.
-- Location of the evidence
• The purpose is to gather and verify information.

Conduct short
• Information to be gathered:
interview
-- Purpose of evidence
-- Users of the evidence
-- Type of internet access & ISP
-- Any offsite storage
-- Username & password of the digital device, email, webmail,
blogs, social media or instant messaging.
• DEFR may then need to make decision of these matters:

Discuss strategy
-- Do we need to collect all digital evidence?
among team members
-- Do we need to collect; or just forensically copy them?
-- Do we need to forensically copy them bit by bit, or just copy
the related folder/file?
-- Is our storage media able to store all acquired data?
• Ensure that each decision is justifiable.
10 PUBLIC RELEASE
B3. COLLECT
The following flow chart explains in detail the process involves in Collect phase.
• The ‘Collect’ process depends on types of digital evidence.

Collect Evidence
• Digital evidence is categorized into 5 types, and each type has
different methods of seizure.
• For each category, please refer to the Appendix associated with it.
Computer Appendix C
Mobile devices Appendix D
CCTV Appendix E
Social Media & Internet Applications Appendix F
Server & Cloud Computing Appendix G
• Please refer to Appendix L for detailed steps of getting data from

digital device.
• Label must be UNIQUE.

Label Evidence
• Label at appropriate place.
• Label parent device together with its sub devices. Refer Appendix
H.
• If you decide to seize the cables, ensure that the cables are
properly labeled for future reconstruction.
• Write down complete serial number OR unique identification of
the evidence in diary.
• While documenting the evidence’s details are important, DEFR

Photograph Evidence can always choose the option of photographing the evidence.
• Take photograph of the device and its labeling, overall view and
close up view.
• Items to be captured; device setting, serial number, manufacturer,
model, any unique features, etc.
• Photos can facilitate understanding in court, especially when
presenting information of items that was not seized at the premise.
PUBLIC RELEASE 11
B4. TRANSPORT
The following flow chart explains in detail the process involves in Transport phase.
• This process takes place after the evidence has been properly
Package labeled.
• The evidence must then be packaged with anti static bag, or other
materials such as bubble wrapper or plastic bag.
• DEFR must ensure that the packaging:
-- Able to detect any attempt to gain access to the evidence.
Refer Appendix I.
-- Does not damage the evidence; ie. Water-resistant.
• Both party; DEFR and the occupier, sign the Seizure List. Please
refer Appendix J.
• The chain of custody now starts here.
• Any transfer from one officer to another shall be recorded in Chain
of Custody Form. Please refer Appendix K.
• During transportation, the evidence in the vehicle must not be left

unattended.
Transport • At least ONE(1) personnel must be in the vehicle at all time.
12 PUBLIC RELEASE
C. ANALYSIS
This phase deals with extracting, analyzing and

reconstructing data from the evidence based on
case objectives. Analysis is usually conducted in
a forensic laboratory by a forensic analyst, under
a controlled environment. Investigator or DEFR
must aware that, in order for forensic analysts to
successfully analyze the evidence, they need to
have:
What does an analyst need prior to analyze
digital evidence?
1 Clear & concise case objective
Examples of case objectives are:

• Extract all documents that have word ‘ABC Consulting’ and its metadata.
• Extract the user profile of the computer
• Enhance the female voice from the recording.
• Compare facial feature from Photo A against Photo B and whether the facials are
similar to each other.
2 Some knowledge of the case background
• Some analysts have years of knowledge in presenting findings of digital evidence in

court.
• They may be able to give good advice to client on constructing the best case objective.
• Analyst may also be able to properly present his/her findings in a better form in the
forensic report, if he/she is supplied with the case background.
3 Any other data gathered at the crime scene/premise.
Examples of data that may be helpful to the analyst:

• IP address
• MAC address
• Print screen of computer display
• Print screen of social media or email.
Table 2: Useful Information that may help analyst to conduct forensic analysis
PUBLIC RELEASE 13
E. PRESERVATION
Preservation is process where evidence is taken care to ensure that it is not tampered, chain of custody
is not broken and integrity is intact. DEFR must ensure that evidence is properly preserved from the
point of taken, to the point of it is handed over to other authorized personnel. DEFR must also be able to
demonstrate that evidence is properly preserved to stakeholders. The methods are:
Evidence Preservation
1 Document evidence’s variables
• Items to be documented:
-- Evidence’s Serial number
-- Manufacturer & Model
-- Storage size (if applicable)
-- Any defects from normal condition, example: keyboard missing ‘k’ letter
-- MAC address (if applicable)
-- Hash value (if applicable)
• This can all be written down in the Seizure List, which is signed by the occupier and
the DEFR. Refer Appendix J.
2 Label and seal
• Label or tag the evidence. It must be unique.

• Label must be able to stay throughout the lifetime of the evidence.
• Label sub device as well, for example, memory card of a mobile phone.
• Label of sub device must be able to be tracked to parent device.
• Label at appropriate place. (Not on the display screen or at the opening of battery).
• Seal properly (anti-shock, water-resistant, anti-static charge). Seal must be able to
detect any attempt to gain access to the evidence.
• Refer to Appendix H for sample of label and Appendix I for seal.
3 Document the chain of custody
• Name and signature of each person, including internal staff, whom take possession or
transport the evidence.
• Date of transfer.
• Evidence’s label or serial number.
• Refer to Appendix J for sample of chain of custody.
Table 3: Methods for Preserving Digital Evidence
14 PUBLIC RELEASE
SPECIAL CONSIDERATION FOR DIGITAL EVIDENCE COLLECTION
Can I Pre-Analyze Evidence Before I Seize/Make Forensic Copy?

In some cases, it is necessary for DEFR to access the computer, view files in the computer, and decide
whether the computer is worth to be seized. This usually happens when there are too many digital
devices at a place, and; seizing the evidence may disrupt the business operations.
For that reason, DEFR may browse the data in the computer. DEFR must aware that THIS ACTION
MAY TAMPER THE EVIDENCE.
Evidence Pre-Analysis
What is it?
• Browsing through the digital evidence to ensure the relevant data or file is in the computer. This
is done in order to eliminate the need to seize unrelated evidence.
Who can conduct this?
• It is advisable that only EXPERT or SENIOR PERSONNEL are allowed to do this.

• Seniors and expert are usually well-versed and more experienced in digital evidence handling,
and more capable of JUSTIFYING HIS ACTION IN COURT.
How to conduct it?
• Before you start browsing into files, write down the device’s offset time.
• Browse into files. Be caution NOT to EDIT anything, including RESAVING it.
• If you found the related file, and decide to seize the computer, follow First Responder Flow
Chart for Computer.
• Or, if the situation does not permit you to seize the computer, follow First Responder Flow
Chart for Server & Cloud Computing.
• In all steps taken, DEFR must cautiously calculate his steps, and ensure that his actions shall
cause the least alterations to the data.
Table 4: Pre-analyze Evidence Before Seize/Make Forensic Copy
PUBLIC RELEASE 15
Can I tender a Copy of Digital Evidence into Court?

Yes. CyberSecurity Malaysia has several experiences of admitting copy of evidence into court, and the
court accepted them.
There are some situations where DEFR could not, or not permitted to seize the evidence and bring back
to laboratory, for the following reasons:
1. Evidence is too bulky; for example a server or a car with an embedded GPS.
2. Seizing the evidence will disrupt normal operations/business; for example CCTV system at a petrol
station, or a server containing websites of five(5) different companies not related to the case.
3. DEFR is not authorized to seize the evidence.
For that reason, DEFR is allowed to make a forensic copy of the evidence. Depending on situations,
DEFR may create image of the evidence, download relevant files, or use manual method (print screen/
photograph related data).
How does this copy of evidence be treated? Before it is explained further, DEFR need to understand the
magnitude of evidence.
Flow Chart 4: Traditional Digital Evidence Collection
Primary Source • Traditionally, evidence (Primary Source) is

seized at a premise, and transported to forensic
laboratory.
Create Copy
• The forensic analyst shall make a working copy,

and shall work on this working copy.
• The Primary Source shall then be tendered
into court.
Working Copy
16 PUBLIC RELEASE
Flow Chart 5: Improved Digital Evidence Collection
Primary Source • Primary source is the real source of evidence.

• Primary Source is forensically copied at onsite/
offsite location;
• And put into a storage device (Original Source).
• Methods to make forensic copy (but not limited
to):
Create Copy
-- Create an image of Primary Source.

-- Download relevant files from Primary
Source
-- Manual method (photograph/print screen)
the Primary Source.
Original Source • Original Source is an accurate and complete

replica of the Primary Source.
• In other word, first hand copy of the evidence.
• It shall be transported to forensic laboratory.
Create Copy
• The Original Source shall then be tendered

into court; therefore it shall meet several
requirements. Refer to Table 3.
Working Copy • The forensic analyst shall make a working copy

from the Original Source, and shall work on this
working copy.
• Analysis is not recommended to be conducted
on the Original Source.
• If, any tampers happen during analysis, analyst
may still make a copy from the Original Source
PUBLIC RELEASE 17
Can I tender evidence in a logical form into court? How should I handle logical
form evidence?
Technically, digital evidence can either be in a physical form or logical form. Example of evidence in
physical form is a mobile phone. In this case, the mobile phone will be tendered in court. Example of
evidence in a logical form is when related files are downloaded from a server into a storage device. This
storage device, however, is not the real evidence; rather it is just a container that is used to store the
real evidence.
Yes, DEFR can still tender evidence in logical form into the court. For this purpose, DEFR must store this
logical form evidence into a storage device.
There are some requirements that need to be met in order to ensure a smooth process of tendering this
evidence. This storage device shall be treated as ORIGINAL SOURCE. Please follow the Flow Chart 3:
Improved Digital Evidence Handling.
18 PUBLIC RELEASE
REFERENCE
ISO/IEC 27037:2013, Guidelines for Identification, Collection, Acquisition and Preservation of digital
evidence, International Standard Organization.
Forensic Examination of Digital Evidence: A Guide for Law Enforcement, National Institute of Justice,
Apr. 2004, https://www.ncjrs.gov/pdffiles1/nij/199408.pdf, viewed on 24th June 2013.
Good Practice Guide for Computer-Based Electronic Evidence, Official release version, Association of
Chief Police Officers’ (ACPO), http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_
evidence.pdf , viewed on 25th June 2013.
ISO/IEC 17025:2005, General Requirements for the Competence of Testing and Calibration Laboratories,
1st Revision, 2005, International Standard Organization.
Supplemental Requirements for the Accreditation of Forensic Science Testing Laboratories, 2011
edition, ASCLD/LAB-International, 2010.
SWGDE Best Practices for Computer Forensics, Scientific Working Group for Digital Evidence, Version
2.1, https://www.swgde.org/documents/Current%20Documents/2006-07-19%20SWGDE%20Best%20
Practices%20for%20Computer%20Forensics%20v2.1 , viewed on 23rd June 2013.
PUBLIC RELEASE 19
APPENDIX A: Digital Evidence Collection Workflow
IDENTIFICATION
Gather information
Preserve information
Print, sign and dated
COLLECTION
Prepare Plan the CSI
Prepare document
Prepare equipment
Conduct Secure premise
Identify evidence
Document premise
Conduct short interview
Discuss strategy
Collect Collect evidence
Label evidence
Photograph evidence
Transport Package evidence
Transport evidence
ANALYSIS
PRESENTATION
PRESERVATION
20 PUBLIC RELEASE
APPENDIX B: Sample of Sketch Plan
PUBLIC RELEASE 21
APPENDIX C: First Responder Flow Chart for computer
22 PUBLIC RELEASE
APPENDIX D: First Responder Flow Chart for Mobile Device
PUBLIC RELEASE 23
APPENDIX E: First Responder Flow Chart for CCTV
24 PUBLIC RELEASE
APPENDIX F: First Responder Flow Chart for Social Media & Inter-
net Application
PUBLIC RELEASE 25
APPENDIX G: First Responder Flow Chart for Server & Cloud Com-
puting
26 PUBLIC RELEASE
APPENDIX H: Sample of Labelling Device & Sub Device
A notebook label with

tampered proof sticker. The
notebook is labelled as:
DF20130328(2)NB02
Harddisk belongs to the notebook

is labelled as:
DF20130328(2)NB02_HD01
By using this labelling format, the sub device is

able to be tracked to its parent device.
[DF20130328(2)NB02]
PUBLIC RELEASE 27
APPENDIX I: Sample of Sealing the Evidence
Sample 1
Sample 2
28 PUBLIC RELEASE
APPENDIX J: Sample of Seizure List
PUBLIC RELEASE 29
APPENDIX K: Sample of Chain of Custody
Sample 1
Sample 2
30 PUBLIC RELEASE
APPENDIX L: WHAT-IS
How to get an IP Address from Windows computer
1. Click icon Start.
2. Type cmd in blank box. For XP, click Run and then type cmd.
3. Type ipconfig/all. Press enter.
4. Look for IPv4 Address value. The location of the IPv4 value depends on types of network connection,
as below:
Network type IP address is displayed under column…
Cable Ethernet adapter Local Area Connection
Wireless Ethernet adapter Wireless Network Connection
Mobile broadband PPP adapter
5. Write down the numbers next to IP Address V4. Example of an IP address: 192.10.10.0.
How to get an IP Address from Mac computer

1. Click on the Apple icon on the upper-left corner of the screen.
2. Scroll down and select System Preferences.

3. Click on Network. Usually it is on the third row.
4. Click on the green button.

5. The IP Address is available on the right pane.
PUBLIC RELEASE 31
How to get MAC Address from Windows computer

1. Follow steps ‘How to get an IP Address from Windows OS computer’.
2. Instead of looking for IPv4 Address, look for Physical Address. Example of a MAC address:
00-0C-27-EE-F0-E1.
How to get MAC Address from Mac computer

1. Follow steps ‘How to get an IP Address from Mac OS computer’.
2. After click on the green button, click Advanced… button.
3. MAC Address is available under Hardware tab
How to get Current User Account on Windows computer

1. Click on Start button.
Windows 7
2. Click this button

Current user account

adfasdf
Windows XP
32 PUBLIC RELEASE
How To Get Current User Account On Mac Computer

1. Click on Apple icon on the upper-left corner of the screen, choose System Preference, then
choose Accounts.
User account = John Smith
How To Get Computer Date & Time Offset

Windows Mac
On bottom-right of the screen, is the display of On the upper-right pane of the screen, is the
the date and time. Compare this time with mst. display of the date and time. Compare this time
sirim.gov.my. with mst.sirim.gov.my.
Compare with mst.sirim.my
Computer time 11.30 Computer time 13.30

mst.sirim time 11.54 mst.sirim time 12.20
Time Offset -00.24 Time Offset +01.10
PUBLIC RELEASE 33
How to Know if a Computer is a Server?

1. Right click on Computer, click on Properties.
2. You will know it is a server when you see Windows Server…
How to know if Destructive Process is Running?

If Delete, Erase, Wipe, Cut, etc process visible on the computer screen.
Delete process Erase or Wipe process
34 PUBLIC RELEASE
How to know if Machine is Networked & How to Isolate Machine from Network?
Machine may be connected to network if;
1. Network cable is connected to the machine. Pull the cable off.
2. Wireless connection is visible on the screen. Click on the wireless icon and turn it off.
3. Mobile broadband is connected to the machine. Pull the device off.
Wireless connection on right-above pane of the screen (Mac OS)
Mobile broadband Network cable
How to look for Encryption?

If the computer has any of the following software application, then the computer may have encrypted
file/folder/directory.
Truecrypt Folder Lock SensiGuard CryptoForge
Or when you see a large size file, possibly with unknown extension, or without an extension at all
appears in the computer.
Large size
No identification of type of file. Just
plain ‘File’.
PUBLIC RELEASE 35
How to Know if a Computer uses Solid State Hard Disk (SSD)?

Windows
Right click on Computer, select Manage. Then click on Storage and then click on Disk Management.
The computer is using SSD is it displays SSD on the Disk panel.
Mac
Click Apple logo, select About This Mac.
Click Storage
If the computer is using SSD, it will
display ‘Solid State’.
36 PUBLIC RELEASE
GLOSSARY
Digital Evidence Person who is authorized, trained and qualified to act first at an incident
First Responder scene in performing digital evidence collection and acquisition with the
(DEFR) responsibility for handling that evidence. [ISO/IEC 27037].
Primary Evidence A term refers by the legal system.
Primary evidence means the document itself produced for the inspection
of the court. [Evidence Act 1950, Section 62].
A document produced by a computer is primary evidence. [Evidence Act

1950, Section 62, Explanation 3].
Document can be a video recording, a computer printouts, server logs or

an audio sound.
Primary evidence also means computer output. [Computer Crime Act,

97].
Secondary A term refers by the legal system.

Evidence
Secondary evidence includes:
a. Certified copies
b. Copies made from original by mechanical processes, which
in themselves ensues the accuracy of the copy, and copies
compared with such copies;
c. Copies made from or compared with the original;
d. Counterparts of documents as against the parties who did not
execute them;
e. Oral accounts of the contents of a document given by some
person who has himself seen or heard it or perceived it by
whatever means.
[Evidence Act 1950, Section 62].
Primary Source A term refers by the digital forensics community. Refers to the first
instance in which an image is recorded onto any media that is a
separate, identifiable object. Examples include a digital image recorded
on a flash card or digital image downloaded from the Internet. [SWGDE].
Original Source A term refers by the digital forensics community. An accurate and
complete replica of the primary image, irrespective of media. For film
and analog video, the primary image is the original image. [SWGDE].
Working Copy A term refers by the digital forensics community. A copy or duplicate of
a recording or data that can be used for subsequent processing and/or
analysis. [SWGDE].
SWGDE Scientific Working Group on Digital Evidence (www.swgde.org)
Onsite location At the office.
Offsite location Away from office.
Occupier Owner of the device or occupier of the premise
PUBLIC RELEASE 37
Corporate Office:
CyberSecurity Malaysia, Level 5, Sapura@Mines, No 7, Jalan Tasik, The Mines Resort City,
43300 Seri Kembangan, Selangor Darul Ehsan | Tel : +603 8992 6888 | Fax : +603 8992 6841
Email: [email protected] | Customer Service Hotline: 1300-88-2999 | www.cybersecurity.my

Sop of Digital Evidence Collection PDF

Uploaded by

Copyright:

Available Formats

Sop of Digital Evidence Collection PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sop of Digital Evidence Collection PDF

Uploaded by

Copyright:

Available Formats

STANDARD OPERATING PROCEDURE OF

DIGITAL EVIDENCE COLLECTION

Sarah Khadijah Taylor

Technical Working Group for the SOP of Digital Evidence Collection

Aisha Be Bt Abd Kadir Mohamad Syukri B Jamaluddin

Azlina Bt Rasdi Nahra Bt Dollah

Badius Zaman B Haji Ahmad Nazri B Mohamed

C. Vignesh Kumar Noorin Bt Baharuddin

Idham B Abd Ghani Nur Azimul Azami

Lailawati Bt Ali Raja Rozela Bt Raja Toran

Melissa Bt Mohd Akhir Sarah Khadijah Taylor

Mohd Zabri Adil B Talib Syed Faisal B Syed Amir

Mohd Ruzeiny B Kamaruzzaman Victor Sanjos

Mohd Kamarudin B Md Din Yusaini Amer B Abdul Karim

Mohamad Firham Efendy B Md Senan ZairulNahar B Zakaria

PUBLIC RELEASE iii

CAN I TENDER EVIDENCE IN A LOGICAL FORM INTO COURT?.........................….….…..….….…..….….…18

DIGITAL FORENSIC METHODOLOGY

Flow Chart 1: Digital Forensic Methodology

Sample of Questions for Preliminary Information Gathering

WHO • Who are the people involve?

WHERE • Where is the location of the crime? Malaysia or cross border?

WHEN • When did the crime happen?

HOW • How did the crime happen?

Table 1: Sample of questions for preliminary information gathering

A1. GATHER INFORMATION

Some helpful tips

• Methods to gather data of the location:

• Method to gather data of the people:

A2. PRESERVE INFORMATION

Some helpful tips

• Convert the file into PDF format

A3. PRINT, SIGN AND DATED

Flow Chart 2: Phase Identification

Flow Chart 3: Phase Collection

• During this phase, Team Leader shall conduct a briefing session

• Ensure that related documents are readily available.

• List of possible equipments to be brought:

• Once you have arrived at the premise, identify wireless connections

• Identify technical person and interview him.

• Sketch these items in diary/journal for the purpose recreating/

• The purpose is to gather and verify information.

• DEFR may then need to make decision of these matters:

• The ‘Collect’ process depends on types of digital evidence.

• Please refer to Appendix L for detailed steps of getting data from

• Label must be UNIQUE.

• While documenting the evidence’s details are important, DEFR

• During transportation, the evidence in the vehicle must not be left

This phase deals with extracting, analyzing and

1 Clear & concise case objective

Examples of case objectives are:

2 Some knowledge of the case background

• Some analysts have years of knowledge in presenting findings of digital evidence in

3 Any other data gathered at the crime scene/premise.

Examples of data that may be helpful to the analyst:

1 Document evidence’s variables

2 Label and seal

• Label or tag the evidence. It must be unique.

3 Document the chain of custody