The National Insitute of Justice has published "Forensic Examination of Digital Evidence: A Guide for Law Enforcement" — a 91-page PDF to help computer-illiterate cops not screw up evidence collection and help cyber-cops make use of materials.
-Perform a controlled boot to capture CMOS/BIOSinformation and test functionality.
* Boot sequence (this may mean changing the BIOS to ensure the system boots from the floppy or CD-ROM drive).
* Time and date.
* Power on passwords.– Perform a second controlled boot to test the computer's functionality and the forensic boot disk.
* Ensure the power and data cablesare properly connected tothe floppy or CDROM drive, and ensure the power and data cables to the storage devices are still disconnected.
* Place the forensic boot disk into the floppy or CD-ROM drive. Boot the computer and ensure the computer will boot from the forensic boot disk.– Reconnect the storage devices and perform a third controlled boot to capture the drive configuration information from the CMOS/BIOS.
* Ensure there is a forensic boot disk in the floppy or CD-ROM drive to prevent the computer from accidentally booting from the storage devices.
* Drive configuration information includes logical block addressing (LBA); large disk; cylinders, heads, and sectors (CHS); or auto-detect.
(Thanks, Dave!)
