Forensics computing operational procedures

elaw.com.au

Forensic Computing Operational Procedures

Allan WattDip Policing, BBS, PGDip Forensic, MSc (Hons), CFCE, CFE5 August 2010


2

Overview

– Pre-seizure, ensuring you are prepared for deployment– Attendance at execution orders– Obtaining an accurate brief from the client– The pre-analysis plan– Conducting analysis – Case studies

Pre-seizure, ensuring you are prepared for deployment


3

• It’s about Criminal but also a lot about Civil

• Crime is only about 30%

• Civil you must know what the client wants

• What they want to spend

• What do they want as far as output (Report, affidavit etc)

• If they don’t get it they may not pay the bill

• Need to communicate constantly

Problems


4

• Bleeding to death scenario

• I need an ambulance now at any cost

• Less is more, well is costs more anyway

• A big problem when it is not there or easily retrievable

Pre-deployment


5

• Obtain as much information as you can pre-deployment, even if it is your client

• What type of case is it?

• Could affect the standard of evidence

• e.discovery vs e.forensics

• What is the client after, what evidence do they require?

• No point cloning the mail server if email is not involved

• Gather as much intel about what IT infrastructure

Predeployment


6

• Consider all possibilities with covert collections

• Have contingences available

• Back out plan

• Consider the masquerade

Packing to go


7

• What to take:

• Labels

• Notebook

• Receipts/ Exhibit sheets

• Sketching material – floor plans

• Still and video camera

• Security

• Transport

• Gloves

Packing to go


8

• Torch

• Cables

• Toolkit

• Tech sheets


9

• Decide whether to pull the plug or shut down• differing evidence for each approach

• Remember cable configuration• Remember to get the internal clock times off all devices• Remember drive configuration

• The RAID may not work• Remember to plug the drives back in

• It may sound stupid but it happens

What to do when collection is restricted to onsite


10

• Ensure you take:

• sufficient equipment

• Technology

• Knowledge

• Correct peripherals and blockers

• Don’t turn up with a bulldozer when you need a teaspoon

• With civil orders, the client still has a life to live and a business to run

Onsite restrictions


11

• Make sure you have enough donor media

• Make sure it is cleansed

• Consider security as well, hostilities can be a problem

• Interference or even theft of evidence

• Logistics support in the event you may be there for a long time

• 16 hours can be a long time watching the grass grow on an empty stomach

Obtaining an accurate brief from the client


12

• Outcome

• legal

• dismissal

• fishing expedition (Covert enquiry)

• Prevention

• Output

• what do they need or

• what is needed to obtain the outcome

Obtaining an accurate brief from the client


13

• What is needed to get the required data to provide this output

• What sources are required, does the client have access to them

• Get

• Dates

• Times

• location


14

• email addresses

• computer usage post incident

• who has had access, (pre and post)

• usernames and passwords

• names of persons involved

• legal privilege

• criminal post action

The pre-analysis plan


15

• You may end up in a sausage factory

• What flavour would you like?

• Horses for courses

• Sometimes you may need all of the following sometimes one

• Every case is different need to adjust to suit each case and may need to adjust on the way as the scene changes

Investigations Categories


16

• Four main categories

• Data movement

• Authentication of data

• System - User activity

• Content

Data movement


17

• Link files

• last access dates(check for AV)

• Registry

• USB CD etc,

• MRU

• Webmail

• Browser history

Authentication of data


18

• OS metadata

• app metadata

• Datetime.cpl

• link files

• MRU

• temp files – data carve

• lack of original files

User activity


19

• Registry

• last log in

• web history

• email, banking, trading, hobbies/sports–

• cookie dates,

• other unrelated computer evidence such as door access

• emails

User activity


20

• data carve web pages

• consider gaming interaction and logging

• event files

Content


21

• web history

• web content

• encrypted data

• text image data (scanned text)

• email parsing

• compressed/zip files

• Then keyword search (consider which to use benefits and drawbacks)

• live

• index

Conducting analysis


22

• Time is money in the outside world and the client won’t pay for time spent fishing for irrelevant information

• Browse the files and use your eyes, look through the trees and not at them and look for things that are out of place.

• Sort by,

• last accessed,

• Modified

• created and

• look at other activity around the same time

Conducting analysis


23

• Look for methods to directly locate what you are looking for but don’t shortcut so you miss the smoking gun

• Use the power of the tools and make them do the work and limit what you have to look at

• Stick to your plan

• Stick to your knitting

Conducting analysis


24

• Email – then process the email

• Image files then locate current and deleted image files

• User activity

• look for who was using it

• what and

• when within minutes

• check cookie times – good source of independent time assessment

• Can we really ever say who was or was not using the computer?

Case studies


25

• Tran

• Travel Agent

• Nth Syd Software Coy

• Yachting Architect

• Tainui

• Uncle Niece

• UNITEC

• Family Cases – Plane – Apartment – Dating sites

• Stolen laptop

• Breach of court order laptop

Questions?

Allan Watt

[email protected]

(02) 9221 1366 Office

04 2356 7813 Mobile


26

mailto:[email protected]

Forensics computing operational procedures

Education

pgdip forensic

preanalysis plan

msc hons

execution orders

accurate brief

case studies