Forensics Methodology


A

Anonymous

Guest
#1
Is there an established methodology for 'computer forensic investigation'?

I have read some of the items on this site, and some of it is definitely edging that way. But is there anything published and recognized as the normal 'process' or 'procedure' when investigating?

I'm guessing someone will retort saying that it depends on the computer system in question. But I am thinking of a slightly higher level than that.

If anyone has anything laid out like a process or similar, could you post it?

Thank you.

Mike
 
Sep 2, 2004
70
6
#2
I don't think that the forensics methodology varies a great deal from system to system. The key aspects that need to be kept in mind are:

1. Documentation is king. If you didn't document it, it didn't happen.
2. Follow a proscribed process...document the system and it's surroundings. Examine the system, and make sure you can power it down. Document all connections and cables, as well as the contents of the screen. Shut down the system, then remove the case and examine/document the interior of the system prior to moving it.
3. Be careful.

Something else to consider is this...what about the volatile data on the system? Running processes, network connections, etc, can all offer very valuable information about the state of the system, and what happened.

H. Carvey
 

DataFrisk

New Member
Feb 22, 2005
6
0
#3
Another viewpoint

<t>In my experience, having a written or established methodology can be dangerous. Having spent a good deal of time on the stand, it is difficult to clearly explain the liquidity of an investigation/analysis to a jury-they will only remember that you did not follow your own procedure. <br/>
Also, look at the first step in almost any case - unplug, or logoff? I'll bet we could find very good and accurate arguments for both sides of this relatively simple "step"; I could even argue both sides depending on the situation.<br/>
I could not emphasize enough what was already said about documenting everything; I also take a lot of digital pictures. If you walked by, you would think the paparatzi were stalking the poor pc. <br/>
The one area I do have a "list" is for onsite acquisitions. It is more of a form to record serial numbers, asset tags, etc. That is only used when imaging onsite with an analysis to follow later. The imaging process is stable and only varies for me if I run into a SCSI I can't Logicube.<br/>
If you feel you need somthing to go by, think about making yourself a small "field manual" that would outline "considerations" for various situations.</t>
 
Jun 12, 2005
3
0
#4
I think what information he is looking for is a guideline developed by persons that have been in the trenches. Not a step-by-step, but a general if you are looking for this check the following locations. He also is looking for a don't forget list, a little reminder list of locations or items to always consider when looking for ?.. I have heard many tech's say never have a list, but it would be nice to have a helpful "cheat sheet", to go back to for reference.

I would appreciate any idea's or pointers to put on such a list. If all are interested add a few points, or helpful hints for hidden locations or just "how could your forget to look here's"

Thanks
Scott
 
A

Anonymous

Guest
#5
I know this is a pretty simplistic answer but there are plently of online articles on the internet and books written on the subject, probably too many to read!
 
A

Anonymous

Guest
#6
Are you referring to something on the lines of the ACPO Best Practice Guide for Computer Based Evidence (UK/Ireland) or perhaps the CTOSE (under analysis for the EU)..also, the Forensic Examination of Digital Evidence: Guide for Law Enforcement (US). Has anyone here applied the ACPO?..if so then what did they think of it, in particular the Evidence Recovery section?
 

Kamikazi

New Member
Aug 28, 2005
54
0
#7
:?:
Is everyone hashing files on drives now, before analysis, to eliminate known system files to get them out of the way, or to actually use hashing to locate known CP images, etc, to make the forensic analysis faster and more automated? If yes, then what tools are you using? EnCase, FTK, Paraben Sorter? Which has been most successful and easy to use? I was looking at the Paraben Sorter module and it looks good from the write up, but I have not used it yet!
 
Sep 24, 2005
9
0
#8
Some Rules To Remember

<t>Get to the scene fast<br/>
<br/>
Secure the machine physically<br/>
<br/>
Do not turn off a running machine<br/>
<br/>
Disconnect from the network by pulling out the network cable<br/>
<br/>
Change as little as possible (every key press and mouse click changes something)<br/>
<br/>
Image volatile areas first(ram, running processes, and not to the hard drive)<br/>
<br/>
<br/>
Document the scene with photographs<br/>
<br/>
Do not try to image processor registers or on board caches<br/>
<br/>
Do not shut down a running machine<br/>
<br/>
Using the incident response CD from: efense.com/helix image the drive to the forensic workstation<br/>
<br/>
This CD has a windows autorun, and is also a linux boot CD with many forensic tools.<br/>
<br/>
dcfldd calculates MD5 hash sums as it copies a drive. The program will not continue if there is a discrepency.<br/>
<br/>
Work from the image on the forensic workstation<br/>
<br/>
Do not boot the image until you have finished all your analysis.<br/>
<br/>
It is impossible to explain to a jury why your lack of following procedure doesn't matter in a certain instance. Document as well as you can.<br/>
<br/>
Keep an open mind<br/>
<br/>
Always have a backup plan<br/>
<br/>
Treat everyone with respect<br/>
<br/>
Make no assumptions<br/>
<br/>
Just document<br/>
<br/>
Let someone else decide what it all means.<br/>
<br/>
Note:<br/>
If you use the Autopsy forensic browser on the helix CD it will log absolutely everything you do. You can print out the log. For instance: If you examined MFT 101 on an NTFS partition, there would be a log entry with the time, date, and verification that you viewed that specific MFT entry.<br/>
<br/>
I'm going to post a dd/dcfldd tutorial to better explain imaging hard drives.</t>
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu