September 22nd, 2004, 06:02 PM
Computer Forensics Procedure
Hello...i'm new here
I want to study computer forensic at degree level next falls, but before I apply for courses, I want to get as much knoweldge as possible. So one of my question is that what is the normal procedure usually taken when a computer is ceased from criminals, paedophiles, terrorists, Fat Tony, etcetra ?
I guess they a make a mirror image of it, and leave the original intact, what next? what kind of analysis is undertakene etc If you can show my in the right directions, that will be splendid....
September 22nd, 2004, 06:13 PM
Here is a pretty good article, writter by a guy from the perspective of defence. A different take on the subject that highlights the importance of correct procedure and knowledge.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
September 22nd, 2004, 06:43 PM
I'm doing the same. I'm getting a CNS degree, then get an associate in Criminal Justice, then start concentrating stricktly on forensics.
September 23rd, 2004, 12:55 AM
A relatively standard procedure would be as follows, this is general and basic:
capture volatile data -memory, processes etc.
Get the hard drive out of the system. Image the system by attaching a write blocker and using "forensically sound" software. linux dd is pretty much forensically sound..just as much as the expensive crap anyways. You can image the disk to an image file OR image it to another disk. If you image it to another disk, use the same make and model disk.
The image src should be checksummed, as should be the image itself. It's typical to make 2 images of the original.
Typically you know what you are looking for when you seize evidence since it requires a warrant.
So you search slack space(ram, file etc), the swap file for any clues, then go through the MFT(NTFS only), internet history, email, documents, check for recoverable documents/files, look in partition gaps for hidden data, check alternate data streams, MAC times, check image files for hidden data and on and on and on.
The most important part is that you never never never modify the evidence, especially if you plan on using it in court.
for starters it's not a bad idea to screw up a computer, plant some crap, delete it, format the drive and try to find it and recover it. It's also not a bad idea to practice doing that WITHOUT trying to be forensically sound at first.
I would suggest you grab a few books from your local bookstore or online and start reading.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust