Computer Forensics Primers ("for Dummies", I'm afraid)

Our security people remind me of Inspector Clouseau, and they're about as subtle as a spastic bull in a china shoppe when conducting investigations into employee misuse of IT resources.

I'd appreciate some links or references to online competent resources or good still-in-print books on the subject of how to *properly* do IT investigation and colmputer forensics. We are a multi-platform, heterogeneous environment, so M$-specific resources are not all that applicable. I'm looking mailly for "principles, guidelines and generalized methods", rather than "Here's how you do X forensic task on platform Y with package Z".
LVL 34
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
There are various resources available out there. Some are available at bookstores "Computer Forensics and Digital Evidence Gathering" being one of many. Some even include a CD that offers various scenarios and queries you after viewing the scenario, it helps you to see if it is something that might be of interest to you. Various sites also have information available is one of them. Most of the definitive information comes from courses on "Forensic Methodology" these are generally offered at IT colleges or online from institutions like etc...
Guidance Software has some excellent White Papers available. If you are interested in pursuing a course in computer forensics A search online should give you lots to look at. Certification is available as a certified forensic examiner. The bull in a china shop doesn't describe all of us though. Most sites that can give you specific protocol and policy type info are restricted to those of us in the industry.

If you decide to pursue it I would like to wish you luck in it. I personnally find it to be a very interesting and challenging field.
PsiCopAuthor Commented:
"The bull in a china shop doesn't describe all of us though."

No, it doesn't. Just the ones I'm having to deal with right now.
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

dldigitalConnect With a Mentor Commented:
Sorry I just tested the Virtuallibrarian link it has finally been changed to
PsiCopAuthor Commented:
BTW, the link you provided does not work.
There's a lot that comes into play when it comes to forensics, especially in the line of computers. I'm prepping for three classes right now, Ethical Hacking, Forensics, and Advanced Forensics. Since I'm in the military, and deal a lot with security issues, I take these kinds of things seriously. Since I've never been to courses for this, I've had to stumble through a few things, and as long as you keep your eyes open and think long and hard about what you do before you do it, you're pretty safe. What I mean is, everything you do on a computer leaves tracks all over the place. Some are blatantly obvious, but you'd never think to look there.
As far as being inconspicuous about it, the best way to watch your users without them knowing of course, is remotely. As long as they aren't smart enough to figure out if someone else is touching their system from afar, you're good to go. Many will say this violates user privacy, however, most companies and government institutions have disclaimers set into place before a user logs in. They are required to acknowledge that they can be monitored and that they will abide by the rules.
There are many resources available, and as digital stated above there are courses available. has some books available, and of course, ebay as well. You're better off buying the books that are available through the actual courses, which can be found out by searching for course outlines. That way you're more likely to be able to stick to the curriculum you'd have followed if you had actually taken the course.
PsiCopAuthor Commented:
Well, I guess I wasn't too clear.

There's some ongoing investigations into employees, and the Security people are blundering about like the Keystone Kops. Not a thing they are doing will be admissible in court, should it ever get there.

Of course, I'm ignored when I bring this up.

So, I'm looking for some links, preferably, I can send to them, so they can get a clue. They won't just go to classes - that would mean admitting they're blundering about. First I gotta show them how badly they're hosing things up - and the most digestible way I can think to do that is to point them at some web resources on how to properly do this sort of investigation.
Rich RumbleConnect With a Mentor Security SamuraiCommented:
This book: Computer Forensics (ISBN# 0-201-70719-5) is a wonderful resouce- it outlines many of the same point's you've already addressed, court adminisability, multiple platforms, IT policy etc...

The main points of the book are as follows:
Establish Guidlines for any forensic's or recovery process's.
Have written policy in place, singed by each employee as well as other policies (acceptable use, anti-virus, audit vulnerability scanning etc...)
Acquire the evidnece without altering or damaging the original
Authentice that your evidence is the same as the original
Analyze the data without modifing the recovered data

This book is much more about the politics and pitfalls of forensics, than a how-to guide on recovery, like finding deleted files etc (although that is covered as well).
From my work in this area, there are no greater tools than Ghost(or TrueImage etc...) and the recovery tools by OnTrack

There are rules that need to be followed, with any investigation, espically if your going to be involving the legal system. Warrant's subpoena's and testimony need to be carried out with the proper authorities, and if you don't have policies in place that make your recovery team the proper authority, then most of your "evidence" could be null/void in the court. Each state has it's own laws that govern employee's rights etc... so this is very important to find out before any investigation is conducted.,1144,0201707195,00.html
Awareness Training seems to be in order. This link may help.

PsiCopAuthor Commented:
Folx, they ain't gonna read books. They ain't gonna go to conferences. They ain't gonna take classes.

*I* will read books and go to conferences and take classes, but they ignore me.

Anyone have anything easily-digestible, for the pea-brains.
dldigitalConnect With a Mentor Commented:
Something that you need to consider from the employers point of view is that 99 times out of 100 they don't want the case to go to court so legal niceties don't count they just want the person to quit or be fired. This means from a forensic point of view nothing has to withstand scrutiny the information just has to be made available. I have had such requests and have chosen to walk away from them(freelancer) I can understand your frustration but my advice is to walk away and let them screw it up badly, then allow a suitable amount of time to pass, and quietly suggest to the boss that the past incident has piqued your interest in Computer Forensics and you have done some reading about it and would like to pursue it. You can offer to up front the cost of the class with re-imbursement to follow if you get your certification.

As to helping those who won't listen "been there done that got the t-shirt and the scars to prove it" it ain't worth the office politics battle. Just move on and wait for the dust to settle, it's always easier to hear a reasonable voice after the roar of battle has died down.

It's obvious from what you say that they aren't in a listening mood at the moment.

Good Luck
PsiCopAuthor Commented:
I'm not a freelancer, so walking away is not an option.

I'm not looking for an office battle - just some materials to hand them as sort of a CYA (for me, not them).
PsiCopAuthor Commented:
OK, I gave them richrumble's first link, we'll see how that goes. I'm going to close the Question.

Lion's share to richrumble for best Answering.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.