A Survey About Impacts of Cloud Computing on Digital Forensics
Forensics computing operational procedures
-
Upload
elaw-international -
Category
Education
-
view
1.278 -
download
1
description
Transcript of Forensics computing operational procedures
elaw.com.au
Forensic Computing Operational Procedures
Allan WattDip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE5 August 2010
Forensic Computing Operational Procedures
2
Overview
– Pre-seizure, ensuring you are prepared for deployment– Attendance at execution orders– Obtaining an accurate brief from the client– The pre-analysis plan– Conducting analysis – Case studies
Pre-seizure, ensuring you are prepared for deployment
Forensic Computing Operational Procedures
3
• It’s about Criminal but also a lot about Civil
• Crime is only about 30%
• Civil you must know what the client wants
• What they want to spend
• What do they want as far as output (Report, affidavit etc)
• If they don’t get it they may not pay the bill
• Need to communicate constantly
Problems
Forensic Computing Operational Procedures
4
• Bleeding to death scenario
• I need an ambulance now at any cost
• Less is more, well is costs more anyway
• A big problem when it is not there or easily retrievable
Pre-deployment
Forensic Computing Operational Procedures
5
• Obtain as much information as you can pre-deployment, even if it is your client
• What type of case is it?
• Could affect the standard of evidence
• e.discovery vs e.forensics
• What is the client after, what evidence do they require?
• No point cloning the mail server if email is not involved
• Gather as much intel about what IT infrastructure
Predeployment
Forensic Computing Operational Procedures
6
• Consider all possibilities with covert collections
• Have contingences available
• Back out plan
• Consider the masquerade
Packing to go
Forensic Computing Operational Procedures
7
• What to take:
• Labels
• Notebook
• Receipts/ Exhibit sheets
• Sketching material – floor plans
• Still and video camera
• Security
• Transport
• Gloves
Packing to go
Forensic Computing Operational Procedures
8
• Torch
• Cables
• Toolkit
• Tech sheets
Forensic Computing Operational Procedures
9
• Decide whether to pull the plug or shut down• differing evidence for each approach
• Remember cable configuration• Remember to get the internal clock times off all devices• Remember drive configuration
• The RAID may not work• Remember to plug the drives back in
• It may sound stupid but it happens
What to do when collection is restricted to onsite
Forensic Computing Operational Procedures
10
• Ensure you take:
• sufficient equipment
• Technology
• Knowledge
• Correct peripherals and blockers
• Don’t turn up with a bulldozer when you need a teaspoon
• With civil orders, the client still has a life to live and a business to run
Onsite restrictions
Forensic Computing Operational Procedures
11
• Make sure you have enough donor media
• Make sure it is cleansed
• Consider security as well, hostilities can be a problem
• Interference or even theft of evidence
• Logistics support in the event you may be there for a long time
• 16 hours can be a long time watching the grass grow on an empty stomach
Obtaining an accurate brief from the client
Forensic Computing Operational Procedures
12
• Outcome
• legal
• dismissal
• fishing expedition (Covert enquiry)
• Prevention
• Output
• what do they need or
• what is needed to obtain the outcome
Obtaining an accurate brief from the client
Forensic Computing Operational Procedures
13
• What is needed to get the required data to provide this output
• What sources are required, does the client have access to them
• Get
• Dates
• Times
• location
Forensic Computing Operational Procedures
14
• email addresses
• computer usage post incident
• who has had access, (pre and post)
• usernames and passwords
• names of persons involved
• legal privilege
• criminal post action
The pre-analysis plan
Forensic Computing Operational Procedures
15
• You may end up in a sausage factory
• What flavour would you like?
• Horses for courses
• Sometimes you may need all of the following sometimes one
• Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes
Investigations Categories
Forensic Computing Operational Procedures
16
• Four main categories
• Data movement
• Authentication of data
• System - User activity
• Content
Data movement
Forensic Computing Operational Procedures
17
• Link files
• last access dates(check for AV)
• Registry
• USB CD etc,
• MRU
• Webmail
• Browser history
Authentication of data
Forensic Computing Operational Procedures
18
• OS metadata
• app metadata
• Datetime.cpl
• link files
• MRU
• temp files – data carve
• lack of original files
User activity
Forensic Computing Operational Procedures
19
• Registry
• last log in
• web history
• email, banking, trading, hobbies/sports–
• cookie dates,
• other unrelated computer evidence such as door access
• emails
User activity
Forensic Computing Operational Procedures
20
• data carve web pages
• consider gaming interaction and logging
• event files
Content
Forensic Computing Operational Procedures
21
• web history
• web content
• encrypted data
• text image data (scanned text)
• email parsing
• compressed/zip files
• Then keyword search (consider which to use benefits and drawbacks)
• live
• index
Conducting analysis
Forensic Computing Operational Procedures
22
• Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information
• Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place.
• Sort by,
• last accessed,
• Modified
• created and
• look at other activity around the same time
Conducting analysis
Forensic Computing Operational Procedures
23
• Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun
• Use the power of the tools and make them do the work and limit what you have to look at
• Stick to your plan
• Stick to your knitting
Conducting analysis
Forensic Computing Operational Procedures
24
• Email – then process the email
• Image files then locate current and deleted image files
• User activity
• look for who was using it
• what and
• when within minutes
• check cookie times – good source of independent time assessment
• Can we really ever say who was or was not using the computer?
Case studies
Forensic Computing Operational Procedures
25
• Tran
• Travel Agent
• Nth Syd Software Coy
• Yachting Architect
• Tainui
• Uncle Niece
• UNITEC
• Family Cases – Plane – Apartment – Dating sites
• Stolen laptop
• Breach of court order laptop
Questions?
Allan Watt
(02) 9221 1366 Office
04 2356 7813 Mobile
Forensic Computing Operational Procedures
26