You're face-to-face with a computer criminal. Now what? Some advice from Microsoft in a nifty guide.
- By Greg Shields
I remember my very first training many years ago when I started as a Tier I technician in a large company. We were briefed on what to do if we ever found pornography on a company computer. “Notify us immediately,” we were told. Except in the case where it was child pornography, “In that case: Step back from the computer. Don’t touch anything. Don’t try to fix or delete anything. Don’t leave the computer. And notify us immediately,” said our management.
Unfortunately, our job sometimes takes us into situations involving the legal system and law enforcement, and discovery of child pornography on a system is only one of those instances.
Any time a user’s behavior on a system elevates past the point of being problematic to the point where the authorities need to be involved, the rules immediately change as to what you need to do as a systems administrator to ensure the preservation of evidence. The rules of evidence are strict and your actions -- if not done correctly -- can mean the loss of use of that evidence in a criminal case.
To deal with this and educate all of us on the needs of evidence traceability in situations of computer forensics, Microsoft has released the "Fundamental Computer Investigation Guide for Windows." This document discusses what you need to do to assess the situation, acquire the necessary data while still preserving the rules of evidence, analyze the data if necessary and report the investigation.
Tech HelpJust An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
The guide includes an interesting extended scenario that discusses the four steps in the case of an intentional data disclosure incident. The incident is good reading, as it goes through the steps nicely to help you understand what is needed if you intend to report the incident to the authorities. Additionally, it provides a series of worksheets and links to various agencies like the FBI and local law enforcement, to help you determine where you should go to report the problem.
You can download the document from Microsoft here.
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.