forensics computing operational procedures
DESCRIPTION
Overview for forensics computing operational proceduresTRANSCRIPT
![Page 1: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/1.jpg)
elaw.com.au
Forensic Computing Operational Procedures
Allan WattDip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE5 August 2010
![Page 2: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/2.jpg)
Forensic Computing Operational Procedures
2
Overview
– Pre-seizure, ensuring you are prepared for deployment– Attendance at execution orders– Obtaining an accurate brief from the client– The pre-analysis plan– Conducting analysis – Case studies
![Page 3: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/3.jpg)
Pre-seizure, ensuring you are prepared for deployment
Forensic Computing Operational Procedures
3
• It’s about Criminal but also a lot about Civil
• Crime is only about 30%
• Civil you must know what the client wants
• What they want to spend
• What do they want as far as output (Report, affidavit etc)
• If they don’t get it they may not pay the bill
• Need to communicate constantly
![Page 4: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/4.jpg)
Problems
Forensic Computing Operational Procedures
4
• Bleeding to death scenario
• I need an ambulance now at any cost
• Less is more, well is costs more anyway
• A big problem when it is not there or easily retrievable
![Page 5: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/5.jpg)
Pre-deployment
Forensic Computing Operational Procedures
5
• Obtain as much information as you can pre-deployment, even if it is your client
• What type of case is it?
• Could affect the standard of evidence
• e.discovery vs e.forensics
• What is the client after, what evidence do they require?
• No point cloning the mail server if email is not involved
• Gather as much intel about what IT infrastructure
![Page 6: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/6.jpg)
Predeployment
Forensic Computing Operational Procedures
6
• Consider all possibilities with covert collections
• Have contingences available
• Back out plan
• Consider the masquerade
![Page 7: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/7.jpg)
Packing to go
Forensic Computing Operational Procedures
7
• What to take:
• Labels
• Notebook
• Receipts/ Exhibit sheets
• Sketching material – floor plans
• Still and video camera
• Security
• Transport
• Gloves
![Page 8: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/8.jpg)
Packing to go
Forensic Computing Operational Procedures
8
• Torch
• Cables
• Toolkit
• Tech sheets
![Page 9: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/9.jpg)
Forensic Computing Operational Procedures
9
• Decide whether to pull the plug or shut down• differing evidence for each approach
• Remember cable configuration• Remember to get the internal clock times off all devices• Remember drive configuration
• The RAID may not work• Remember to plug the drives back in
• It may sound stupid but it happens
![Page 10: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/10.jpg)
What to do when collection is restricted to onsite
Forensic Computing Operational Procedures
10
• Ensure you take:
• sufficient equipment
• Technology
• Knowledge
• Correct peripherals and blockers
• Don’t turn up with a bulldozer when you need a teaspoon
• With civil orders, the client still has a life to live and a business to run
![Page 11: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/11.jpg)
Onsite restrictions
Forensic Computing Operational Procedures
11
• Make sure you have enough donor media
• Make sure it is cleansed
• Consider security as well, hostilities can be a problem
• Interference or even theft of evidence
• Logistics support in the event you may be there for a long time
• 16 hours can be a long time watching the grass grow on an empty stomach
![Page 12: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/12.jpg)
Obtaining an accurate brief from the client
Forensic Computing Operational Procedures
12
• Outcome
• legal
• dismissal
• fishing expedition (Covert enquiry)
• Prevention
• Output
• what do they need or
• what is needed to obtain the outcome
![Page 13: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/13.jpg)
Obtaining an accurate brief from the client
Forensic Computing Operational Procedures
13
• What is needed to get the required data to provide this output
• What sources are required, does the client have access to them
• Get
• Dates
• Times
• location
![Page 14: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/14.jpg)
Forensic Computing Operational Procedures
14
• email addresses
• computer usage post incident
• who has had access, (pre and post)
• usernames and passwords
• names of persons involved
• legal privilege
• criminal post action
![Page 15: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/15.jpg)
The pre-analysis plan
Forensic Computing Operational Procedures
15
• You may end up in a sausage factory
• What flavour would you like?
• Horses for courses
• Sometimes you may need all of the following sometimes one
• Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes
![Page 16: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/16.jpg)
Investigations Categories
Forensic Computing Operational Procedures
16
• Four main categories
• Data movement
• Authentication of data
• System - User activity
• Content
![Page 17: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/17.jpg)
Data movement
Forensic Computing Operational Procedures
17
• Link files
• last access dates(check for AV)
• Registry
• USB CD etc,
• MRU
• Webmail
• Browser history
![Page 18: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/18.jpg)
Authentication of data
Forensic Computing Operational Procedures
18
• OS metadata
• app metadata
• Datetime.cpl
• link files
• MRU
• temp files – data carve
• lack of original files
![Page 19: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/19.jpg)
User activity
Forensic Computing Operational Procedures
19
• Registry
• last log in
• web history
• email, banking, trading, hobbies/sports–
• cookie dates,
• other unrelated computer evidence such as door access
• emails
![Page 20: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/20.jpg)
User activity
Forensic Computing Operational Procedures
20
• data carve web pages
• consider gaming interaction and logging
• event files
![Page 21: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/21.jpg)
Content
Forensic Computing Operational Procedures
21
• web history
• web content
• encrypted data
• text image data (scanned text)
• email parsing
• compressed/zip files
• Then keyword search (consider which to use benefits and drawbacks)
• live
• index
![Page 22: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/22.jpg)
Conducting analysis
Forensic Computing Operational Procedures
22
• Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information
• Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place.
• Sort by,
• last accessed,
• Modified
• created and
• look at other activity around the same time
![Page 23: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/23.jpg)
Conducting analysis
Forensic Computing Operational Procedures
23
• Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun
• Use the power of the tools and make them do the work and limit what you have to look at
• Stick to your plan
• Stick to your knitting
![Page 24: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/24.jpg)
Conducting analysis
Forensic Computing Operational Procedures
24
• Email – then process the email
• Image files then locate current and deleted image files
• User activity
• look for who was using it
• what and
• when within minutes
• check cookie times – good source of independent time assessment
• Can we really ever say who was or was not using the computer?
![Page 25: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/25.jpg)
Case studies
Forensic Computing Operational Procedures
25
• Tran
• Travel Agent
• Nth Syd Software Coy
• Yachting Architect
• Tainui
• Uncle Niece
• UNITEC
• Family Cases – Plane – Apartment – Dating sites
• Stolen laptop
• Breach of court order laptop
![Page 26: Forensics computing operational procedures](https://reader036.vdocuments.net/reader036/viewer/2022062303/5575b94cd8b42a3b498b530c/html5/thumbnails/26.jpg)
Questions?
Allan Watt
(02) 9221 1366 Office
04 2356 7813 Mobile
Forensic Computing Operational Procedures
26