Help to setup computer forensic investigation team

  • We encourage our users to use Real Names to build a real community, friendships and networking opportunities.

    [more information]

anuar653

New Member
May 31, 2017
6
0
#1
Hi

I have got some trouble in my workplace right now. I’m working at administrative department in private hospital. There was one major incident involving data theft and unauthorized disclosure of sensitive information that caused lawsuit which causes my hospital lost lot of money. We know that the culprit behind this incident is one of our staff, but we do not have evidence to pinpoint who has done it. The culprit had breach our server and steal those information.

Due to that incident, my hospital wants to setup digital forensic investigation team to ensure that the similar cases would not happen again in the future. I have zero knowledge on digital forensic investigation process therefore, I would like to as solution on:
1) what I need to do first to setup this investigation team
2) Is there any best practice regarding digital forensic investigation process that I can follow.
3) Job description of this team
4) Any tools that this team can use
5) Other input that might help me

I hope a response from all of you regarding this issue and maybe with your ideas/comments and solution can solve my cases.
Thank you
 

john9989

New Member
May 31, 2017
3
0
#2
We seem to get a post about "How do I get into computer forensics?" everyday and no one seems to look at the previous posts, so I'm going to summarize the options when it comes to Certifications and Training...

Online training is always an option! Especially the CCE bootcamp. You can take it either from ISFCE's website (cftco.com) or from Kennesaw State University at kennesaw.edu/coned/sci/index.htm

Or if on a Linux platform, have them check out ftp .hq.nasa.gov/pub/ig/ccd/linuxintro/ - a Law Enforcement introductory guide to forensics with Linux. Written by Barry Grundy of NASA (yes, the space people).

Continuing on the Linux platform they could try Autopsy (a free forensic web browser front end for The Sleuth Kit) - both available for free at sleuthkit.org/

There are also a number of good pdf intro to forensics out there such as:

CERT First Responder Guide to Computer Forensics available at sei.cmu.edu/publications/documents/05.reports/05hb001.html

CERT First Responder Guide to Computer Forensics - Advanced available at cert.org/archive/pdf/05hb003.pdf

Investigations involving the Internet by NIJ available at ncjrs.gov/pdffiles1/nij/210798.pdf

National High Tech Crime Unit (UK) computer forensic guide available at devon-cornwall.police.uk/v3/pdfstore/ElecEvid.pdf

And then you have sites like forensicswiki.org/ Note the "s" at the end of forensic otherwise you end up at the wrong site.

And sites from people like Dan MARES (http://www.maresware.com/) and Paul SANDERSON (sandersonforensics.com/) who both offer free tools along with paid ones, and both have a plethora of links to other resources.

Personally I would not recommend them to jump into Brian Carrier's book as an intro into the world of forensics. It's an excellent resource for filesystems. But it may be a bit much for someone looking to get their feet wet.

With all of the above it's plenty to get someone introduced to the world of computer forensics. Some of the PDFs may be slightly dated.

But even so the principles will generally still be applicable.

Certifications

Civilian Certs....

CISSP - isc2.org

GCFA - giac.org/certifications/security/gcfa.php

CCE - certified-computer-examiner.com/

CCFT - htcn.org/cert.htm

EnCE - guidancesoftware.com/training/ence/index.asp

ACE - accessdata.com

Law Enforcement / Government only Certs....

CFCE - cops.org

CEECS - cops.org
 
Jun 12, 2017
3
0
#3
anuar653 said:
Hi

I have got some trouble in my workplace right now. I’m working at administrative department in private hospital. There was one major incident involving data theft and unauthorized disclosure of sensitive information that caused lawsuit which causes my hospital lost lot of money. We know that the culprit behind this incident is one of our staff, but we do not have evidence to pinpoint who has done it. The culprit had breach our server and steal those information.

Due to that incident, my hospital wants to setup digital forensic investigation team to ensure that the similar cases would not happen again in the future. I have zero knowledge on digital forensic investigation process therefore, I would like to as solution on:
1) what I need to do first to setup this investigation team
2) Is there any best practice regarding digital forensic investigation process that I can follow.
3) Job description of this team
4) Any tools that this team can use
5) Other input that might help me

I hope a response from all of you regarding this issue and maybe with your ideas/comments and solution can solve my cases.
Thank you
Hi
To setup investigation team, one of the considerations that your company needs to think about is on setting up electronic evidence forensic lab. This is to analyze the finding. If your company decides to outsource then it should be no problem. But, if you decide to have your own forensic laboratory, there are several parts that make up a forensics laboratory:

Physical requirement
- Physical floor space will be dictated by the size of the group that will occupy it.
- The space should be in a secure location or contain appropriate measures that will stop unauthorized access to the premises
- The seized equipment, as well as official certified evidentiary copies of seized data, will be stored in this vault and, with the appropriate enforced sign-out/in procedures
- There also needs to be adequate lockable storage space for various specialized equipment

Hardware requirement
- A number of computers is required, including a network server with large storage capacity
- This server will be used to manage, document and administer cases, store various software tools, and manage one-off specialist hardware.
- The hardware that must be managed will include, for example, devices like Rimage CD production units, CopyPro floppy disk readers, printers, etc. The evidentiary copy of seized data is usually written to CD or DVD and, because of the large capacity of current hard drives, this can be a time-consuming process. The Rimage, and other units like it, make it possible to create,
- Portable acquisition computers (the kit) will be required. Ideally, each should be configured identically with the standard forensics suite of tools and removable hard drives (the same standard hard drives as above) of various capacities. Each kit should have a robust carrying case that can accommodate extra hard drives, an array of associated connection plugs and converters, and a hard drive write blocker such as FastBlock.

Software requirement
- The standard forensics software packages, such as EnCase, Forensics Tool Kit, Password Recovery Tool Kit, etc,
- However, the software tools that are used comprise a far wider range that just as above. Many are freeware and many are not. No single tool performs the entire job of forensics acquisition, analysis and reporting, so we tend to use the right tool for the right task

Procedural requirement
- Methods and procedures are an important part of operating a successful forensics laboratory.
- The main issues that can and usually are attacked when evidence is presented in a court of law are credentials and methodology.
- close attention must be paid to strictly following and documenting the methodology formally adopted by the lab in the acquisition, analysis and reporting processes.
Hope this will help. Cheers!
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu