Solved

Computer Forensics Primers ("for Dummies", I'm afraid)

Posted on 2004-09-24
13
242 Views
Last Modified: 2010-04-11
Our security people remind me of Inspector Clouseau, and they're about as subtle as a spastic bull in a china shoppe when conducting investigations into employee misuse of IT resources.

I'd appreciate some links or references to online competent resources or good still-in-print books on the subject of how to *properly* do IT investigation and colmputer forensics. We are a multi-platform, heterogeneous environment, so M$-specific resources are not all that applicable. I'm looking mailly for "principles, guidelines and generalized methods", rather than "Here's how you do X forensic task on platform Y with package Z".
0
Comment
Question by:PsiCop
  • 6
  • 3
  • 2
  • +2
13 Comments
 

Expert Comment

by:dldigital
ID: 12146823
There are various resources available out there. Some are available at bookstores "Computer Forensics and Digital Evidence Gathering" being one of many. Some even include a CD that offers various scenarios and queries you after viewing the scenario, it helps you to see if it is something that might be of interest to you. Various sites also have information available www.virtuallibrarian.org is one of them. Most of the definitive information comes from courses on "Forensic Methodology" these are generally offered at IT colleges or online from institutions like sans.org etc...
Guidance Software has some excellent White Papers available. If you are interested in pursuing a course in computer forensics A search online should give you lots to look at. Certification is available as a certified forensic examiner. The bull in a china shop doesn't describe all of us though. Most sites that can give you specific protocol and policy type info are restricted to those of us in the industry.

If you decide to pursue it I would like to wish you luck in it. I personnally find it to be a very interesting and challenging field.
0
 
LVL 34

Author Comment

by:PsiCop
ID: 12146860
"The bull in a china shop doesn't describe all of us though."

No, it doesn't. Just the ones I'm having to deal with right now.
0
 

Assisted Solution

by:dldigital
dldigital earned 50 total points
ID: 12146863
Sorry I just tested the Virtuallibrarian link it has finally been changed to www.virtuallibrarian.com
0
 
LVL 34

Author Comment

by:PsiCop
ID: 12146868
BTW, the link you provided does not work.
0
 
LVL 1

Expert Comment

by:AbstractAnger
ID: 12146916
There's a lot that comes into play when it comes to forensics, especially in the line of computers. I'm prepping for three classes right now, Ethical Hacking, Forensics, and Advanced Forensics. Since I'm in the military, and deal a lot with security issues, I take these kinds of things seriously. Since I've never been to courses for this, I've had to stumble through a few things, and as long as you keep your eyes open and think long and hard about what you do before you do it, you're pretty safe. What I mean is, everything you do on a computer leaves tracks all over the place. Some are blatantly obvious, but you'd never think to look there.
As far as being inconspicuous about it, the best way to watch your users without them knowing of course, is remotely. As long as they aren't smart enough to figure out if someone else is touching their system from afar, you're good to go. Many will say this violates user privacy, however, most companies and government institutions have disclaimers set into place before a user logs in. They are required to acknowledge that they can be monitored and that they will abide by the rules.
There are many resources available, and as digital stated above there are courses available. Amazon.com has some books available, and of course, ebay as well. You're better off buying the books that are available through the actual courses, which can be found out by searching for course outlines. That way you're more likely to be able to stick to the curriculum you'd have followed if you had actually taken the course.

http://www.amazon.com/exec/obidos/tg/detail/-/1584500182/002-4320377-5240867?v=glance
0
 
LVL 34

Author Comment

by:PsiCop
ID: 12160284
Well, I guess I wasn't too clear.

There's some ongoing investigations into employees, and the Security people are blundering about like the Keystone Kops. Not a thing they are doing will be admissible in court, should it ever get there.

Of course, I'm ignored when I bring this up.

So, I'm looking for some links, preferably, I can send to them, so they can get a clue. They won't just go to classes - that would mean admitting they're blundering about. First I gotta show them how badly they're hosing things up - and the most digestible way I can think to do that is to point them at some web resources on how to properly do this sort of investigation.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 12160808
This book: Computer Forensics (ISBN# 0-201-70719-5) is a wonderful resouce- it outlines many of the same point's you've already addressed, court adminisability, multiple platforms, IT policy etc...

The main points of the book are as follows:
Establish Guidlines for any forensic's or recovery process's.
Have written policy in place, singed by each employee as well as other policies (acceptable use, anti-virus, audit vulnerability scanning etc...)
Then:
Acquire the evidnece without altering or damaging the original
Authentice that your evidence is the same as the original
Analyze the data without modifing the recovered data

This book is much more about the politics and pitfalls of forensics, than a how-to guide on recovery, like finding deleted files etc (although that is covered as well).
From my work in this area, there are no greater tools than Ghost(or TrueImage etc...) and the recovery tools by OnTrack http://www.ontrack.com/Homepage.aspx?id=3&pagename=Software

There are rules that need to be followed, with any investigation, espically if your going to be involving the legal system. Warrant's subpoena's and testimony need to be carried out with the proper authorities, and if you don't have policies in place that make your recovery team the proper authority, then most of your "evidence" could be null/void in the court. Each state has it's own laws that govern employee's rights etc... so this is very important to find out before any investigation is conducted.
http://www.aw-bc.com/catalog/academic/product/0,1144,0201707195,00.html
http://www.sans.org/resources/policies/
-rich
0
 
LVL 2

Expert Comment

by:ZENworker
ID: 12166160
Awareness Training seems to be in order. This link may help.

http://www.gocsi.com

ZENworker
0
 
LVL 34

Author Comment

by:PsiCop
ID: 12166416
Folx, they ain't gonna read books. They ain't gonna go to conferences. They ain't gonna take classes.

*I* will read books and go to conferences and take classes, but they ignore me.

Anyone have anything easily-digestible, for the pea-brains.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 12169962
0
 

Assisted Solution

by:dldigital
dldigital earned 50 total points
ID: 12170701
Something that you need to consider from the employers point of view is that 99 times out of 100 they don't want the case to go to court so legal niceties don't count they just want the person to quit or be fired. This means from a forensic point of view nothing has to withstand scrutiny the information just has to be made available. I have had such requests and have chosen to walk away from them(freelancer) I can understand your frustration but my advice is to walk away and let them screw it up badly, then allow a suitable amount of time to pass, and quietly suggest to the boss that the past incident has piqued your interest in Computer Forensics and you have done some reading about it and would like to pursue it. You can offer to up front the cost of the class with re-imbursement to follow if you get your certification.

As to helping those who won't listen "been there done that got the t-shirt and the scars to prove it" it ain't worth the office politics battle. Just move on and wait for the dust to settle, it's always easier to hear a reasonable voice after the roar of battle has died down.

It's obvious from what you say that they aren't in a listening mood at the moment.

Good Luck
0
 
LVL 34

Author Comment

by:PsiCop
ID: 12172300
I'm not a freelancer, so walking away is not an option.

I'm not looking for an office battle - just some materials to hand them as sort of a CYA (for me, not them).
0
 
LVL 34

Author Comment

by:PsiCop
ID: 12189807
OK, I gave them richrumble's first link, we'll see how that goes. I'm going to close the Question.

Lion's share to richrumble for best Answering.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now