Forensics computing operational procedures
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Forensics computing operational procedures

  • 1,466 views
Uploaded on

Overview for forensics computing operational procedures

Overview for forensics computing operational procedures

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,466
On Slideshare
1,270
From Embeds
196
Number of Embeds
3

Actions

Shares
Downloads
45
Comments
0
Likes
0

Embeds 196

http://www.elaw.com.au 173
http://elawcms.squarespace.com 22
http://192.168.0.74 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Forensic Computing Operational Procedures
    Allan Watt
    Dip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE
    5 August 2010
  • 2. Forensic Computing Operational Procedures
    2
    Overview
    • Pre-seizure, ensuring you are prepared for deployment
    • 3. Attendance at execution orders
    • 4. Obtaining an accurate brief from the client
    • 5. The pre-analysis plan
    • 6. Conducting analysis
    • 7. Case studies
  • Pre-seizure, ensuring you are prepared for deployment
    Forensic Computing Operational Procedures
    3
    It’s about Criminal but also a lot about Civil
    Crime is only about 30%
    Civil you must know what the client wants
    What they want to spend
    What do they want as far as output (Report, affidavit etc)
    If they don’t get it they may not pay the bill
    Need to communicate constantly
  • 8. Problems
    Forensic Computing Operational Procedures
    4
    Bleeding to death scenario
    I need an ambulance now at any cost
    Less is more, well is costs more anyway
    A big problem when it is not there or easily retrievable
  • 9. Pre-deployment
    Forensic Computing Operational Procedures
    5
    Obtain as much information as you can pre-deployment, even if it is your client
    What type of case is it?
    Could affect the standard of evidence
    e.discoveryvse.forensics
    What is the client after, what evidence do they require?
    No point cloning the mail server if email is not involved
    Gather as much intel about what IT infrastructure
  • 10. Predeployment
    Forensic Computing Operational Procedures
    6
    Consider all possibilities with covert collections
    Have contingences available
    Back out plan
    Consider the masquerade
  • 11. Packing to go
    Forensic Computing Operational Procedures
    7
    What to take:
    Labels
    Notebook
    Receipts/ Exhibit sheets
    Sketching material – floor plans
    Still and video camera
    Security
    Transport
    Gloves
  • 12. Packing to go
    Forensic Computing Operational Procedures
    8
    Torch
    Cables
    Toolkit
    Tech sheets
  • 13. Forensic Computing Operational Procedures
    9
    • Decide whether to pull the plug or shut down
    • 14. differing evidence for each approach
    • 15. Remember cable configuration
    • 16. Remember to get the internal clock times off all devices
    • 17. Remember drive configuration
    • 18. The RAID may not work
    • 19. Remember to plug the drives back in
    • 20. It may sound stupid but it happens
  • What to do when collection is restricted to onsite
    Forensic Computing Operational Procedures
    10
    Ensure you take:
    sufficient equipment
    Technology
    Knowledge
    Correct peripherals and blockers
    Don’t turn up with a bulldozer when you need a teaspoon
    With civil orders, the client still has a life to live and a business to run
  • 21. Onsite restrictions
    Forensic Computing Operational Procedures
    11
    Make sure you have enough donor media
    Make sure it is cleansed
    Consider security as well, hostilities can be a problem
    Interference or even theft of evidence
    Logistics support in the event you may be there for a long time
    16 hours can be a long time watching the grass grow on an empty stomach
  • 22. Obtaining an accurate brief from the client
    Forensic Computing Operational Procedures
    12
    Outcome
    legal
    dismissal
    fishing expedition (Covert enquiry)
    Prevention
    Output
    what do they need or
    what is needed to obtain the outcome
  • 23. Obtaining an accurate brief from the client
    Forensic Computing Operational Procedures
    13
    What is needed to get the required data to provide this output
    What sources are required, does the client have access to them
    Get
    Dates
    Times
    location
  • 24. Forensic Computing Operational Procedures
    14
    email addresses
    computer usage post incident
    who has had access, (pre and post)
    usernames and passwords
    names of persons involved
    legal privilege
    criminal post action
  • 25. The pre-analysis plan
    Forensic Computing Operational Procedures
    15
    You may end up in a sausage factory
    What flavour would you like?
    Horses for courses
    Sometimes you may need all of the following sometimes one
    Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes
  • 26. Investigations Categories
    Forensic Computing Operational Procedures
    16
    Four main categories
    Data movement
    Authentication of data
    System - User activity
    Content
  • 27. Data movement
    Forensic Computing Operational Procedures
    17
    Link files
    last access dates(check for AV)
    Registry
    USB CD etc,
    MRU
    Webmail
    Browser history
  • 28. Authentication of data
    Forensic Computing Operational Procedures
    18
    OS metadata
    app metadata
    Datetime.cpl
    link files
    MRU
    temp files – data carve
    lack of original files
  • 29. User activity
    Forensic Computing Operational Procedures
    19
    Registry
    last log in
    web history
    email, banking, trading, hobbies/sports–
    cookie dates,
    other unrelated computer evidence such as door access
    emails
  • 30. User activity
    Forensic Computing Operational Procedures
    20
    data carve web pages
    consider gaming interaction and logging
    event files
  • 31. Content
    Forensic Computing Operational Procedures
    21
    web history
    web content
    encrypted data
    text image data (scanned text)
    email parsing
    compressed/zip files
    Then keyword search (consider which to use benefits and drawbacks)
    live
    index
  • 32. Conducting analysis
    Forensic Computing Operational Procedures
    22
    Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information
    Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place.
    Sort by,
    last accessed,
    Modified
    created and
    look at other activity around the same time
  • 33. Conducting analysis
    Forensic Computing Operational Procedures
    23
    Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun
    Use the power of the tools and make them do the work and limit what you have to look at
    Stick to your plan
    Stick to your knitting
  • 34. Conducting analysis
    Forensic Computing Operational Procedures
    24
    Email – then process the email
    Image files then locate current and deleted image files
    User activity
    look for who was using it
    what and
    when within minutes
    check cookie times – good source of independent time assessment
    Can we really ever say who was or was not using the computer?
  • 35. Case studies
    Forensic Computing Operational Procedures
    25
    Tran
    Travel Agent
    Nth Syd Software Coy
    Yachting Architect
    Tainui
    Uncle Niece
    UNITEC
    Family Cases – Plane – Apartment – Dating sites
    Stolen laptop
    Breach of court order laptop
  • 36. Questions?
    Allan Watt
    a.watt@elaw.com.au
    (02) 9221 1366 Office
    04 2356 7813 Mobile
    Forensic Computing Operational Procedures
    26