[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 282
  • Last Modified:

Forensics "pass on"

Can I ask a pretty novice forensics question.

If say you have an internal forensics investigator with a dedicated offline machine – and he has encrypted drives so he images the suspect drive using his write blocker or whatever, once it is imaged – where does he typically save the imaged copy? Locally on the forensics analysis machine – on an encrypted drive?

For example best practices seem to be not to network the machine – so it can’t be saved on any networked drive – so I assume it just gets saved locally? What about backups though. What if the drive you just imaged then failed, and the drive you imaged it to also fails. Then you’ve lost the evidence haven’t you? What do forensics investigators do in this case?

My second question is – if big boss says thanks for imaging it and doing your analysis on the image – I now want to take the findings in the encase case file away with me and view it on my laptop? How? Can you give him like a light version of your findings in encase format – or, does he need a copy of the actual imaged drive (is this the E01?) AND the case file on his laptop to review? Or can you just give a copy of the findings as opposed to whole imaged device and case file?

For info-  these are just for internal disciplinarians and nothing legal.
0
pma111
Asked:
pma111
  • 8
  • 5
1 Solution
 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
The way I do it, and I am by no way saying this is the correct or standard way, is when aquiring the image and creating case files, I use an external drive attached to the standalone device to save the drive image and the case files to. I use one hard drive per active case. Once the case has been completed, the image and the case files are copied up to a hidden network share and ACLs put on the folder so that only I, and relevant parties, have access. I have Edit access in case I need to add addendums, or revisit the case, the relevant parties only have Read access to the files.
Once the case has been copied up to the share, then the external drive is 'nuked' so it can be used for another case.

There should be no reason for your boss to take the EnCase files away with him. If the case has been investigated properly, then all he needs to take away with him is the case report, logging your findings, processes etc and a CD/DVD of material found compiled in a way for it to be easily aligned with the case report.
0
 
pma111Author Commented:
Hi,

Do you use encase? And is yours just for internal investigations? Or possible court of law?

Thanks
0
 
pma111Author Commented:
So you bascally work on your case on an external drive? Nothing is saved on your workstations internal drives?

Cheers
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
Yes I use Encase v7. And also looking at Passmark's OSForensics.

Most of my work is done for internal HR investigations against leavers, inopportune use of company equipment etc, though I also do more involved work for the company for claims, litigation etc.

I try and keep the internal drive of the Forensic device as clear as possible. Where ever possible, nothing is saved to the local hard drive, everything is saved to an external drive and then copied up to the network.
0
 
pma111Author Commented:
Cheers - do you have a specific methodology you follow when you get a new case in? Or does your methology change depending on the allegations?

Would you be willing to share your methodology?

I have an old copy of encase that I want to use for some basic self training.
0
 
pma111Author Commented:
Would also be interested in what the case report looks like - or what kind of data is included in it?

Is this an encase report writing feature - or something you put together outside of encase manually?

Thanks
0
 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
I have a check list of things that need to be done, and is in the process of being updated, but as soon as it is finished I will put up a copy.

But basically it is/will be:

A Request Form to be filled in by HR/Legal requesting the investigation

A Device Seizure Form to ensure that all data and the device is taken and handeled correctly by local support technicians.

A Physical Check form, to document serial numbers, drive sizes, tag numbers , model etc, and log any damage to the device upon receiving.

An imaging check list to log Version of utility used, hash numbers, name of files created.

A case log to document the Case name, investigator,  timelines and work done ( QCC's Forensic CaseNotes is my recommendation)

A check list to remind me of what to look for
Recent Activity
Deleted Files
Internet History
USB Usage
Printing
Deleted Files
and all the various types of file extensions to look for.


Whilst EnCase is pretty much the industry standard, for training workflows and quick easy ways of testing and checking Passmarks OSForensics is really easy to use, and while still in beta, is free to use for a limited time. Have been testing it and it is very good, and will be a lot cheaper than EnCase upon release.
0
 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
The final report is a Word document that brings it all together.

Starts with a header of Case Number, investigator name and who the report was compiled for, and the details of any evidence on CD that accompanies it.

An introduction of why the investigation was initiated and when.

An Executive summary giving brief details of what found, if anything.

A full detailed report of the investigation, giving timelines, actions taken, details of evidence - with reference of where to find on the CD if applicable, or inserts of pictures ( up to you if they need to be pixelated for the report)

Final Summary
0
 
pma111Author Commented:
If you can put a copy of your checklist that would be awesome and most welcome.

Can you go into more detail on this

>>and all the various types of file extensions to look for

Was this a full list:

A check list to remind me of what to look for
Recent Activity
Deleted Files
Internet History
USB Usage
Printing
Deleted Files


Or just some examples? I take it you review photo images as well?
0
 
pma111Author Commented:
Aliso be interested if its possible to find encrypted volumes such as those created with trucrypt - can encase find them quickly? Or is that a manual review?
0
 
pma111Author Commented:
SOrry one more - any particular reason why you dont save imaged drives/case files to a workstations local drive - in favour of using an external drive? Is this just an external USB>?
0
 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
Space generally, also it means that any images or recovered files are forensically sound and haven't been altered by anything running on the local drive, or potentially infected or give the element of doubt that something 'might' have happened to them.

Plain external drive. Nothing fancy, just as big as you can afford, especially as internal drives are getting bigger and so need more space for the image.

For encrypted drives you need to subscribe to the relevant modules for EnCase and have the relevant decryption keys so that the image can be decrypted, or decrypt yhe drive prior to imaging.


The above was just an example, basically you look for anything that will help in your investigation. All image files, all word processing files, all office extensions, all tmp files, all bak files, shortcuts, URLs, thumbnails,

A good place to start for advice is the ForensicsForum, there is lots of examples on there about how to get started, which software to use etc.

Enjoy your trip into forensics, it is a great deal of fun, I don't really get enough to satiate my lust for investigation at work. :(

0
 
pma111Author Commented:
Thanks man
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now