0
Forensic Computing Operational Procedures<br />Allan Watt<br />Dip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE<br...
Forensic Computing Operational Procedures<br />2<br />Overview<br /><ul><li>Pre-seizure, ensuring you are prepared for dep...
Attendance at execution orders
Obtaining an accurate brief from the client
The pre-analysis plan
Conducting analysis
Case studies </li></li></ul><li>Pre-seizure, ensuring you are prepared for deployment<br />Forensic Computing Operational ...
Problems<br />Forensic Computing Operational Procedures<br />4<br />Bleeding to death scenario<br />I need an ambulance no...
Pre-deployment<br />Forensic Computing Operational Procedures<br />5<br />Obtain as much information as you can pre-deploy...
Predeployment<br />Forensic Computing Operational Procedures<br />6<br />Consider all possibilities with covert collection...
Packing to go<br />Forensic Computing Operational Procedures<br />7<br />What to take:<br />Labels<br />Notebook<br />Rece...
Packing to go<br />Forensic Computing Operational Procedures<br />8<br />Torch<br />Cables<br />Toolkit<br />Tech sheets<b...
Forensic Computing Operational Procedures<br />9<br /><ul><li>Decide whether to pull the plug or shut down
differing evidence for each approach
Remember cable configuration
Remember to get the internal clock times off all devices
Remember drive configuration
The RAID may not work
Remember to plug the drives back in
It may sound stupid but it happens</li></li></ul><li>What to do when collection is restricted to onsite<br />Forensic Comp...
Onsite restrictions<br />Forensic Computing Operational Procedures<br />11<br />Make sure you have enough donor media<br /...
Obtaining an accurate brief from the client<br />Forensic Computing Operational Procedures<br />12<br />Outcome <br />lega...
Obtaining an accurate brief from the client<br />Forensic Computing Operational Procedures<br />13<br />What is needed to ...
Forensic Computing Operational Procedures<br />14<br />email addresses<br />computer usage post incident<br />who has had ...
The pre-analysis plan<br />Forensic Computing Operational Procedures<br />15<br />You may end up in a sausage factory<br /...
Investigations Categories<br />Forensic Computing Operational Procedures<br />16<br />Four main categories<br />Data movem...
Upcoming SlideShare
Loading in...5
×

Forensics computing operational procedures

1,271

Published on

Overview for forensics computing operational procedures

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,271
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
48
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Forensics computing operational procedures"

  1. 1. Forensic Computing Operational Procedures<br />Allan Watt<br />Dip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE<br />5 August 2010<br />
  2. 2. Forensic Computing Operational Procedures<br />2<br />Overview<br /><ul><li>Pre-seizure, ensuring you are prepared for deployment
  3. 3. Attendance at execution orders
  4. 4. Obtaining an accurate brief from the client
  5. 5. The pre-analysis plan
  6. 6. Conducting analysis
  7. 7. Case studies </li></li></ul><li>Pre-seizure, ensuring you are prepared for deployment<br />Forensic Computing Operational Procedures<br />3<br />It’s about Criminal but also a lot about Civil<br />Crime is only about 30% <br />Civil you must know what the client wants<br />What they want to spend<br />What do they want as far as output (Report, affidavit etc)<br />If they don’t get it they may not pay the bill<br />Need to communicate constantly<br />
  8. 8. Problems<br />Forensic Computing Operational Procedures<br />4<br />Bleeding to death scenario<br />I need an ambulance now at any cost<br />Less is more, well is costs more anyway <br />A big problem when it is not there or easily retrievable<br />
  9. 9. Pre-deployment<br />Forensic Computing Operational Procedures<br />5<br />Obtain as much information as you can pre-deployment, even if it is your client<br />What type of case is it?<br />Could affect the standard of evidence<br />e.discoveryvse.forensics<br />What is the client after, what evidence do they require?<br />No point cloning the mail server if email is not involved <br />Gather as much intel about what IT infrastructure<br />
  10. 10. Predeployment<br />Forensic Computing Operational Procedures<br />6<br />Consider all possibilities with covert collections<br />Have contingences available<br />Back out plan<br />Consider the masquerade<br />
  11. 11. Packing to go<br />Forensic Computing Operational Procedures<br />7<br />What to take:<br />Labels<br />Notebook<br />Receipts/ Exhibit sheets<br />Sketching material – floor plans<br />Still and video camera<br />Security<br />Transport<br />Gloves<br />
  12. 12. Packing to go<br />Forensic Computing Operational Procedures<br />8<br />Torch<br />Cables<br />Toolkit<br />Tech sheets<br />
  13. 13. Forensic Computing Operational Procedures<br />9<br /><ul><li>Decide whether to pull the plug or shut down
  14. 14. differing evidence for each approach
  15. 15. Remember cable configuration
  16. 16. Remember to get the internal clock times off all devices
  17. 17. Remember drive configuration
  18. 18. The RAID may not work
  19. 19. Remember to plug the drives back in
  20. 20. It may sound stupid but it happens</li></li></ul><li>What to do when collection is restricted to onsite<br />Forensic Computing Operational Procedures<br />10<br />Ensure you take: <br />sufficient equipment<br />Technology<br />Knowledge<br />Correct peripherals and blockers<br />Don’t turn up with a bulldozer when you need a teaspoon<br />With civil orders, the client still has a life to live and a business to run<br />
  21. 21. Onsite restrictions<br />Forensic Computing Operational Procedures<br />11<br />Make sure you have enough donor media<br />Make sure it is cleansed<br />Consider security as well, hostilities can be a problem<br />Interference or even theft of evidence<br />Logistics support in the event you may be there for a long time<br />16 hours can be a long time watching the grass grow on an empty stomach<br />
  22. 22. Obtaining an accurate brief from the client<br />Forensic Computing Operational Procedures<br />12<br />Outcome <br />legal<br />dismissal<br />fishing expedition (Covert enquiry)<br />Prevention<br />Output <br />what do they need or <br />what is needed to obtain the outcome<br />
  23. 23. Obtaining an accurate brief from the client<br />Forensic Computing Operational Procedures<br />13<br />What is needed to get the required data to provide this output<br />What sources are required, does the client have access to them<br />Get <br />Dates<br />Times<br />location<br />
  24. 24. Forensic Computing Operational Procedures<br />14<br />email addresses<br />computer usage post incident<br />who has had access, (pre and post)<br />usernames and passwords<br />names of persons involved<br />legal privilege<br />criminal post action<br />
  25. 25. The pre-analysis plan<br />Forensic Computing Operational Procedures<br />15<br />You may end up in a sausage factory<br />What flavour would you like?<br />Horses for courses<br />Sometimes you may need all of the following sometimes one<br />Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes<br />
  26. 26. Investigations Categories<br />Forensic Computing Operational Procedures<br />16<br />Four main categories<br />Data movement<br />Authentication of data<br />System - User activity <br />Content<br />
  27. 27. Data movement<br />Forensic Computing Operational Procedures<br />17<br />Link files<br />last access dates(check for AV)<br />Registry <br />USB CD etc, <br />MRU<br />Webmail<br />Browser history<br />
  28. 28. Authentication of data<br />Forensic Computing Operational Procedures<br />18<br />OS metadata<br />app metadata<br />Datetime.cpl<br />link files<br />MRU<br />temp files – data carve<br />lack of original files<br />
  29. 29. User activity <br />Forensic Computing Operational Procedures<br />19<br />Registry<br />last log in<br />web history <br />email, banking, trading, hobbies/sports– <br />cookie dates, <br />other unrelated computer evidence such as door access<br />emails<br />
  30. 30. User activity<br />Forensic Computing Operational Procedures<br />20<br />data carve web pages<br />consider gaming interaction and logging<br />event files<br />
  31. 31. Content<br />Forensic Computing Operational Procedures<br />21<br />web history<br />web content<br />encrypted data<br />text image data (scanned text)<br />email parsing<br />compressed/zip files<br />Then keyword search (consider which to use benefits and drawbacks)<br />live<br />index<br />
  32. 32. Conducting analysis <br />Forensic Computing Operational Procedures<br />22<br />Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information<br />Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place.<br />Sort by, <br />last accessed, <br />Modified<br />created and<br />look at other activity around the same time<br />
  33. 33. Conducting analysis <br />Forensic Computing Operational Procedures<br />23<br />Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun<br />Use the power of the tools and make them do the work and limit what you have to look at<br />Stick to your plan<br />Stick to your knitting<br />
  34. 34. Conducting analysis <br />Forensic Computing Operational Procedures<br />24<br />Email – then process the email<br />Image files then locate current and deleted image files<br />User activity<br /> look for who was using it<br />what and <br />when within minutes<br />check cookie times – good source of independent time assessment<br />Can we really ever say who was or was not using the computer?<br />
  35. 35. Case studies<br />Forensic Computing Operational Procedures<br />25<br />Tran<br />Travel Agent<br />Nth Syd Software Coy<br />Yachting Architect<br />Tainui<br />Uncle Niece<br />UNITEC<br />Family Cases – Plane – Apartment – Dating sites<br />Stolen laptop<br />Breach of court order laptop<br />
  36. 36. Questions?<br />Allan Watt<br />a.watt@elaw.com.au<br />(02) 9221 1366 Office<br />04 2356 7813 Mobile<br />Forensic Computing Operational Procedures<br />26<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×