Notes:
PROCEDURES:
Incident Response Procedures
Chain of Evidence Sheets
Acquisition Procedure and Checklist
Shipping and Receiving Procedures and Checklists
Evidence Handling Procedure and Checklists
Laboratory Methodologies and Checklists
Testimonial Guidance
EVIDENCE LOCKER:
Inexpensive and a convincing counter argument
Compartmentalization of video camera from recorder
OS ACCOUNTING:
Use of system accounting, auditing of all failures, successful administrative operations, stop/starts
Use of accounting on networked file systems
CLOCKS:
Sync of clocks on all devices to same time
Reporting of time in GMT
GPS based ntp server is an example
EVIDENCE SERVER:
Unix server with graphical head, Loads of disk space, fast network, unallocated raw partitions
cryptcat, tct-1.03, thumbnailing software
No network services provided - cryptcat listener only
Perhaps local tcp wrapped host level restrictions
USE OF ENCRYPTED FILE SYSTEMS:
Most important area to assure procedures are followed
Retrieval of keys and other considerations
TOOLS AND MATERIALS:
TCT, cryptcat, platform-os specific binaries from $TCT_HOME/conf/paths.pl (arp, at, cat, cp, date, dmesg, etc…) boxes, non-static wrap, packing tape