-
April 17th, 2006, 03:54 PM
#1
Junior Member
Forensic Procedures
Hi
if anyone is interested i have produced a forensic checklist that i can post to the forum
let me know
8lgm
-
April 17th, 2006, 04:23 PM
#2
I'm interested. Post it .
-
April 17th, 2006, 04:36 PM
#3
Junior Member
Forensic Procedures
This is our tried and tested procedures when conducting a forensic analysis using our preferred tools which include encase ver 4.22a , AccessData forensic toolkit and various other tools.
1 - open encase and load evidence files
2 - verify evidence files and check for lost folders on each evidence file where applicable
3 - conduct file sig / hash analysis over all files
4 - conduct a gallery review over alloacted space
5 - run script to extract the following:
bmp,jpg,png etc from unallocated space
bmp,jpg,png etc from swapfile.sys
pictures from word docs etc
6 - i have concluded that email analysis is best done utilising FTK email analysis tool
7- extract history records from unallocated space using histex
8 - extract history records from netanalysis
Hope this makes sense and is of use to anyone..
I also have the ENCE pdf file which covers encase forensic procedures in more detail. I will post it if anyone would like a copy
regards
8lgm
-
April 17th, 2006, 04:51 PM
#4
I think the checklist is a very "good start". There needs to be MUCH more than that to qualify as "a forensic checklist".
You need details on the the referenced script, how to handle the data, when to conduct... plus much more.
Good start though.
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
April 17th, 2006, 04:59 PM
#5
Junior Member
Forensic procedures
Hi
Thanks for that Deeboe
Yes i agree with your statement about more detail required it was meant as a checklist and i will be producing a more detailed checklist including the scripts ran and what if any the consequences. There is also the requirement to bookmark data and run relevant keyword searches.
Regards
8lgm
-
April 17th, 2006, 06:03 PM
#6
Actually, this isn't a forensic checklist at all. It's a very basic procedure for using ENCASE, a very expensive forensics solution.
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
April 17th, 2006, 06:20 PM
#7
Junior Member
HI there
Encase is the preferred tool that we use and yes it is expensive , but when used with other tools such as FTK, Histex and net analysis the results are usually clear and consise.
The checklist is intended to be used with encase and if i didn't point that out i'm sorry.
There are other software tools out there i know of some but i don't feel experienced enough to talk about them
regards
8lgm
-
April 17th, 2006, 06:30 PM
#8
Wanting to contribute here is absolutely fine. However, if you're not experienced in a specific area, please research the topic before posting or simply ask others what they're doing.
Yes, there are many forensic tools out there. The problem with your post is that it focuses on your organization's specific procedure (which will vary by organization) and you've focused on a product that 95% of the people here don't have or can't afford.
A checklist is solution nuetral, meaning that the steps can be applied no matter what tools you're using.
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
April 17th, 2006, 06:36 PM
#9
Junior Member
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|