Overview for forensics computing operational procedures

1. Forensic Computing Operational Procedures Allan Watt Dip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE 5 August 2010

3. Attendance at execution orders

4. Obtaining an accurate brief from the client

5. The pre-analysis plan

6. Conducting analysis

8. Problems Forensic Computing Operational Procedures 4 Bleeding to death scenario I need an ambulance now at any cost Less is more, well is costs more anyway A big problem when it is not there or easily retrievable

9. Pre-deployment Forensic Computing Operational Procedures 5 Obtain as much information as you can pre-deployment, even if it is your client What type of case is it? Could affect the standard of evidence e.discoveryvse.forensics What is the client after, what evidence do they require? No point cloning the mail server if email is not involved Gather as much intel about what IT infrastructure

10. Predeployment Forensic Computing Operational Procedures 6 Consider all possibilities with covert collections Have contingences available Back out plan Consider the masquerade

11. Packing to go Forensic Computing Operational Procedures 7 What to take: Labels Notebook Receipts/ Exhibit sheets Sketching material – floor plans Still and video camera Security Transport Gloves

12. Packing to go Forensic Computing Operational Procedures 8 Torch Cables Toolkit Tech sheets

14. differing evidence for each approach

15. Remember cable configuration

16. Remember to get the internal clock times off all devices

17. Remember drive configuration

18. The RAID may not work

19. Remember to plug the drives back in

21. Onsite restrictions Forensic Computing Operational Procedures 11 Make sure you have enough donor media Make sure it is cleansed Consider security as well, hostilities can be a problem Interference or even theft of evidence Logistics support in the event you may be there for a long time 16 hours can be a long time watching the grass grow on an empty stomach

22. Obtaining an accurate brief from the client Forensic Computing Operational Procedures 12 Outcome legal dismissal fishing expedition (Covert enquiry) Prevention Output what do they need or what is needed to obtain the outcome

23. Obtaining an accurate brief from the client Forensic Computing Operational Procedures 13 What is needed to get the required data to provide this output What sources are required, does the client have access to them Get Dates Times location

24. Forensic Computing Operational Procedures 14 email addresses computer usage post incident who has had access, (pre and post) usernames and passwords names of persons involved legal privilege criminal post action

25. The pre-analysis plan Forensic Computing Operational Procedures 15 You may end up in a sausage factory What flavour would you like? Horses for courses Sometimes you may need all of the following sometimes one Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes

26. Investigations Categories Forensic Computing Operational Procedures 16 Four main categories Data movement Authentication of data System - User activity Content

27. Data movement Forensic Computing Operational Procedures 17 Link files last access dates(check for AV) Registry USB CD etc, MRU Webmail Browser history

28. Authentication of data Forensic Computing Operational Procedures 18 OS metadata app metadata Datetime.cpl link files MRU temp files – data carve lack of original files

29. User activity Forensic Computing Operational Procedures 19 Registry last log in web history email, banking, trading, hobbies/sports– cookie dates, other unrelated computer evidence such as door access emails

30. User activity Forensic Computing Operational Procedures 20 data carve web pages consider gaming interaction and logging event files

31. Content Forensic Computing Operational Procedures 21 web history web content encrypted data text image data (scanned text) email parsing compressed/zip files Then keyword search (consider which to use benefits and drawbacks) live index

32. Conducting analysis Forensic Computing Operational Procedures 22 Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place. Sort by, last accessed, Modified created and look at other activity around the same time

33. Conducting analysis Forensic Computing Operational Procedures 23 Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun Use the power of the tools and make them do the work and limit what you have to look at Stick to your plan Stick to your knitting

34. Conducting analysis Forensic Computing Operational Procedures 24 Email – then process the email Image files then locate current and deleted image files User activity look for who was using it what and when within minutes check cookie times – good source of independent time assessment Can we really ever say who was or was not using the computer?

35. Case studies Forensic Computing Operational Procedures 25 Tran Travel Agent Nth Syd Software Coy Yachting Architect Tainui Uncle Niece UNITEC Family Cases – Plane – Apartment – Dating sites Stolen laptop Breach of court order laptop

36. Questions? Allan Watt a.watt@elaw.com.au (02) 9221 1366 Office 04 2356 7813 Mobile Forensic Computing Operational Procedures 26