There are a number of parallels between digital forensics and other forensic disciplines such as trace evidence. The key parallel is that organizations acquiring evidence need to have a procedure that is sound, reproducible, and well documented. The following are some guidelines for proper collection of digital evidence:

• Photograph the system and the general scene. One of the key pieces of equipment that can save time is a small digital camera. While it may seem overkill to photograph a system in place, in the event that actions that have been taken by incident responders see the inside of a courtroom, having photos will allow for proper reconstruction of the events. One word of caution, though, is to make sure that you utilize a separate digital camera. Utilizing a cell phone may expose the device to discovery in the event of a lawsuit or criminal proceeding. The best method is to snap all of the photos necessary and at a convenient time and place and transfer them to permanent storage.
• Determine whether the system is powered up. If the system is powered on, leave it on. If the system is powered off, do not power it on. A number of changes take place when turning a system on or off. In the event that the system is powered on, the volatile memory will be available for capture. In addition, in the case of full disk encryption, leaving the system on will allow the responder to still acquire the logical disk volumes. If the system is turned off, preserving this state ensures that any evidence in the non-volatile memory is preserved. In the event that incident response personnel feel that the system may be a danger to other systems, simply remove the network connection to isolate it.
• Acquire the running memory. This is a critical piece of evidence that can produce a wealth of data concerning running processes, DLLs in use, and network connections. Due to this, procedures for acquiring memory will be covered extensively in this chapter.
• Acquire registry and log files. While these files are non-volatile in nature, having near-immediate access is beneficial, especially when investigating malware or other exploitation means.
• Unplug the power from the back of the system. In the event that the system is a laptop, remove the battery as well. This preserves the state of the system.
• Photograph the back or bottom of the system to capture the model and serial number. This procedure allows the incident response analyst to capture any information that's necessary for the chain of custody.
• Remove the cover to the system and photograph the hard drive to capture the model and serial number. Again, this aids in the reconstruction of the chain of custody.
• Remove the hard drive from the system and package it in an anti-static bag.
• Secure the drive in a sealable envelope or box. Anti-static bags will protect the hard drive, and the packaging should ensure that any attempt to open it will be evident. This can be facilitated through purpose-designed evidence bags or simple mailing envelopes that can be sealed with tape. The seizing analyst should sign any seals. Furthermore, indicate the incident number, evidence number, date, time, and seizing analyst somewhere on the exterior of the packaging.
• Document all actions. Ensure that dates and times are recorded, as well as which incident response analyst performed the action. Incident reporting is often the last stage of any response. As a result, hours or even days can pass before analysts are able to record their actions. Due to this, pictures and notes that are taken during the initial seizure are invaluable when it comes to reconstructing the sequence of events.

In the next section, we will look at acquiring volatile memory.