Forensic Procedures
Results 1 to 9 of 9

Thread: Forensic Procedures

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    11

    Forensic Procedures

    Hi

    if anyone is interested i have produced a forensic checklist that i can post to the forum

    let me know

    8lgm

  2. #2

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    11

    Forensic Procedures

    This is our tried and tested procedures when conducting a forensic analysis using our preferred tools which include encase ver 4.22a , AccessData forensic toolkit and various other tools.

    1 - open encase and load evidence files
    2 - verify evidence files and check for lost folders on each evidence file where applicable
    3 - conduct file sig / hash analysis over all files
    4 - conduct a gallery review over alloacted space
    5 - run script to extract the following:
    bmp,jpg,png etc from unallocated space
    bmp,jpg,png etc from swapfile.sys
    pictures from word docs etc

    6 - i have concluded that email analysis is best done utilising FTK email analysis tool
    7- extract history records from unallocated space using histex
    8 - extract history records from netanalysis


    Hope this makes sense and is of use to anyone..

    I also have the ENCE pdf file which covers encase forensic procedures in more detail. I will post it if anyone would like a copy



    regards


    8lgm

  4. #4
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    I think the checklist is a very "good start". There needs to be MUCH more than that to qualify as "a forensic checklist".

    You need details on the the referenced script, how to handle the data, when to conduct... plus much more.

    Good start though.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  5. #5
    Junior Member
    Join Date
    Apr 2006
    Posts
    11

    Forensic procedures

    Hi

    Thanks for that Deeboe

    Yes i agree with your statement about more detail required it was meant as a checklist and i will be producing a more detailed checklist including the scripts ran and what if any the consequences. There is also the requirement to bookmark data and run relevant keyword searches.


    Regards

    8lgm

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Actually, this isn't a forensic checklist at all. It's a very basic procedure for using ENCASE, a very expensive forensics solution.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Junior Member
    Join Date
    Apr 2006
    Posts
    11
    HI there

    Encase is the preferred tool that we use and yes it is expensive , but when used with other tools such as FTK, Histex and net analysis the results are usually clear and consise.

    The checklist is intended to be used with encase and if i didn't point that out i'm sorry.

    There are other software tools out there i know of some but i don't feel experienced enough to talk about them


    regards


    8lgm

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Wanting to contribute here is absolutely fine. However, if you're not experienced in a specific area, please research the topic before posting or simply ask others what they're doing.

    Yes, there are many forensic tools out there. The problem with your post is that it focuses on your organization's specific procedure (which will vary by organization) and you've focused on a product that 95% of the people here don't have or can't afford.

    A checklist is solution nuetral, meaning that the steps can be applied no matter what tools you're using.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Junior Member
    Join Date
    Apr 2006
    Posts
    11
    ok

    point taken

    8lgm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides