forensics computing operational procedures
DESCRIPTION
Overview for forensics computing operational proceduresTRANSCRIPT
elaw.com.au
Forensic Computing Operational Procedures
Allan WattDip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE5 August 2010
Forensic Computing Operational Procedures
2
Overview
– Pre-seizure, ensuring you are prepared for deployment– Attendance at execution orders– Obtaining an accurate brief from the client– The pre-analysis plan– Conducting analysis – Case studies
Pre-seizure, ensuring you are prepared for deployment
Forensic Computing Operational Procedures
3
• It’s about Criminal but also a lot about Civil
• Crime is only about 30%
• Civil you must know what the client wants
• What they want to spend
• What do they want as far as output (Report, affidavit etc)
• If they don’t get it they may not pay the bill
• Need to communicate constantly
Problems
Forensic Computing Operational Procedures
4
• Bleeding to death scenario
• I need an ambulance now at any cost
• Less is more, well is costs more anyway
• A big problem when it is not there or easily retrievable
Pre-deployment
Forensic Computing Operational Procedures
5
• Obtain as much information as you can pre-deployment, even if it is your client
• What type of case is it?
• Could affect the standard of evidence
• e.discovery vs e.forensics
• What is the client after, what evidence do they require?
• No point cloning the mail server if email is not involved
• Gather as much intel about what IT infrastructure
Predeployment
Forensic Computing Operational Procedures
6
• Consider all possibilities with covert collections
• Have contingences available
• Back out plan
• Consider the masquerade
Packing to go
Forensic Computing Operational Procedures
7
• What to take:
• Labels
• Notebook
• Receipts/ Exhibit sheets
• Sketching material – floor plans
• Still and video camera
• Security
• Transport
• Gloves
Packing to go
Forensic Computing Operational Procedures
8
• Torch
• Cables
• Toolkit
• Tech sheets
Forensic Computing Operational Procedures
9
• Decide whether to pull the plug or shut down• differing evidence for each approach
• Remember cable configuration• Remember to get the internal clock times off all devices• Remember drive configuration
• The RAID may not work• Remember to plug the drives back in
• It may sound stupid but it happens
What to do when collection is restricted to onsite
Forensic Computing Operational Procedures
10
• Ensure you take:
• sufficient equipment
• Technology
• Knowledge
• Correct peripherals and blockers
• Don’t turn up with a bulldozer when you need a teaspoon
• With civil orders, the client still has a life to live and a business to run
Onsite restrictions
Forensic Computing Operational Procedures
11
• Make sure you have enough donor media
• Make sure it is cleansed
• Consider security as well, hostilities can be a problem
• Interference or even theft of evidence
• Logistics support in the event you may be there for a long time
• 16 hours can be a long time watching the grass grow on an empty stomach
Obtaining an accurate brief from the client
Forensic Computing Operational Procedures
12
• Outcome
• legal
• dismissal
• fishing expedition (Covert enquiry)
• Prevention
• Output
• what do they need or
• what is needed to obtain the outcome
Obtaining an accurate brief from the client
Forensic Computing Operational Procedures
13
• What is needed to get the required data to provide this output
• What sources are required, does the client have access to them
• Get
• Dates
• Times
• location
Forensic Computing Operational Procedures
14
• email addresses
• computer usage post incident
• who has had access, (pre and post)
• usernames and passwords
• names of persons involved
• legal privilege
• criminal post action
The pre-analysis plan
Forensic Computing Operational Procedures
15
• You may end up in a sausage factory
• What flavour would you like?
• Horses for courses
• Sometimes you may need all of the following sometimes one
• Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes
Investigations Categories
Forensic Computing Operational Procedures
16
• Four main categories
• Data movement
• Authentication of data
• System - User activity
• Content
Data movement
Forensic Computing Operational Procedures
17
• Link files
• last access dates(check for AV)
• Registry
• USB CD etc,
• MRU
• Webmail
• Browser history
Authentication of data
Forensic Computing Operational Procedures
18
• OS metadata
• app metadata
• Datetime.cpl
• link files
• MRU
• temp files – data carve
• lack of original files
User activity
Forensic Computing Operational Procedures
19
• Registry
• last log in
• web history
• email, banking, trading, hobbies/sports–
• cookie dates,
• other unrelated computer evidence such as door access
• emails
User activity
Forensic Computing Operational Procedures
20
• data carve web pages
• consider gaming interaction and logging
• event files
Content
Forensic Computing Operational Procedures
21
• web history
• web content
• encrypted data
• text image data (scanned text)
• email parsing
• compressed/zip files
• Then keyword search (consider which to use benefits and drawbacks)
• live
• index
Conducting analysis
Forensic Computing Operational Procedures
22
• Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information
• Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place.
• Sort by,
• last accessed,
• Modified
• created and
• look at other activity around the same time
Conducting analysis
Forensic Computing Operational Procedures
23
• Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun
• Use the power of the tools and make them do the work and limit what you have to look at
• Stick to your plan
• Stick to your knitting
Conducting analysis
Forensic Computing Operational Procedures
24
• Email – then process the email
• Image files then locate current and deleted image files
• User activity
• look for who was using it
• what and
• when within minutes
• check cookie times – good source of independent time assessment
• Can we really ever say who was or was not using the computer?
Case studies
Forensic Computing Operational Procedures
25
• Tran
• Travel Agent
• Nth Syd Software Coy
• Yachting Architect
• Tainui
• Uncle Niece
• UNITEC
• Family Cases – Plane – Apartment – Dating sites
• Stolen laptop
• Breach of court order laptop
Questions?
Allan Watt
(02) 9221 1366 Office
04 2356 7813 Mobile
Forensic Computing Operational Procedures
26