8. Problems Forensic Computing Operational Procedures 4 Bleeding to death scenario I need an ambulance now at any cost Less is more, well is costs more anyway A big problem when it is not there or easily retrievable
9. Pre-deployment Forensic Computing Operational Procedures 5 Obtain as much information as you can pre-deployment, even if it is your client What type of case is it? Could affect the standard of evidence e.discoveryvse.forensics What is the client after, what evidence do they require? No point cloning the mail server if email is not involved Gather as much intel about what IT infrastructure
10. Predeployment Forensic Computing Operational Procedures 6 Consider all possibilities with covert collections Have contingences available Back out plan Consider the masquerade
11. Packing to go Forensic Computing Operational Procedures 7 What to take: Labels Notebook Receipts/ Exhibit sheets Sketching material – floor plans Still and video camera Security Transport Gloves
12. Packing to go Forensic Computing Operational Procedures 8 Torch Cables Toolkit Tech sheets
21. Onsite restrictions Forensic Computing Operational Procedures 11 Make sure you have enough donor media Make sure it is cleansed Consider security as well, hostilities can be a problem Interference or even theft of evidence Logistics support in the event you may be there for a long time 16 hours can be a long time watching the grass grow on an empty stomach
22. Obtaining an accurate brief from the client Forensic Computing Operational Procedures 12 Outcome legal dismissal fishing expedition (Covert enquiry) Prevention Output what do they need or what is needed to obtain the outcome
23. Obtaining an accurate brief from the client Forensic Computing Operational Procedures 13 What is needed to get the required data to provide this output What sources are required, does the client have access to them Get Dates Times location
24. Forensic Computing Operational Procedures 14 email addresses computer usage post incident who has had access, (pre and post) usernames and passwords names of persons involved legal privilege criminal post action
25. The pre-analysis plan Forensic Computing Operational Procedures 15 You may end up in a sausage factory What flavour would you like? Horses for courses Sometimes you may need all of the following sometimes one Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes
26. Investigations Categories Forensic Computing Operational Procedures 16 Four main categories Data movement Authentication of data System - User activity Content
27. Data movement Forensic Computing Operational Procedures 17 Link files last access dates(check for AV) Registry USB CD etc, MRU Webmail Browser history
28. Authentication of data Forensic Computing Operational Procedures 18 OS metadata app metadata Datetime.cpl link files MRU temp files – data carve lack of original files
29. User activity Forensic Computing Operational Procedures 19 Registry last log in web history email, banking, trading, hobbies/sports– cookie dates, other unrelated computer evidence such as door access emails
30. User activity Forensic Computing Operational Procedures 20 data carve web pages consider gaming interaction and logging event files
31. Content Forensic Computing Operational Procedures 21 web history web content encrypted data text image data (scanned text) email parsing compressed/zip files Then keyword search (consider which to use benefits and drawbacks) live index
32. Conducting analysis Forensic Computing Operational Procedures 22 Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place. Sort by, last accessed, Modified created and look at other activity around the same time
33. Conducting analysis Forensic Computing Operational Procedures 23 Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun Use the power of the tools and make them do the work and limit what you have to look at Stick to your plan Stick to your knitting
34. Conducting analysis Forensic Computing Operational Procedures 24 Email – then process the email Image files then locate current and deleted image files User activity look for who was using it what and when within minutes check cookie times – good source of independent time assessment Can we really ever say who was or was not using the computer?
35. Case studies Forensic Computing Operational Procedures 25 Tran Travel Agent Nth Syd Software Coy Yachting Architect Tainui Uncle Niece UNITEC Family Cases – Plane – Apartment – Dating sites Stolen laptop Breach of court order laptop
36. Questions? Allan Watt a.watt@elaw.com.au (02) 9221 1366 Office 04 2356 7813 Mobile Forensic Computing Operational Procedures 26