RE: forensics procedure for PC analysis
- From: "Simon Thornton" <simon@xxxxxxxxxxxxx>
- Date: Sat, 2 May 2009 10:21:55 +0200
Hi John,
The ACPO Guidelines [1] are a good starting place, The other links below
[3],[4],[5] are more biased to US case law.
The Helix CD [7] contains a number of standard forms for evidence
collection as well as tools.
From a process point of view a few of the things you have to considerthings are:
- just cause; before you start imaging a machine or breaching someones
privacy you need to document the facts as to why you want to carry out an
investigation.
- privacy laws; targetting a machine for suspicious activity maybe ok for
initial discovery but to target the user you are potentially breaching
their privacy. What do your national laws say on this?.
- Authorisation; Who needs to authorise an investigation and at what
point is this required?
- how far your e-discovery can go before you need to seek authorisation
to continue
- Search and seizure and the national laws around this (in some
countries, such as Belgium) only the police have the legal right to
search someone.
- What information you collect during the search and seizure and the
chain of custody
- have forms for writing down the equipment/drive serial numbers,
descriptions,
- document document document; everything you do and collect must be
documented, even mistakes.
(these are only a few points, many more can be found on the links shown
below).
It helps if you have standardised collection tools such as Helix [7],
Encase [8], Paraben [9], Logiccube [10] etc plus suitable write blockers.
[1]
http://www.acpo.police.uk/asp/policies/Data/ACPO%20Guidelines%20v18.pdf
[2] http://www.auscert.org.au/render.html?it=2247
[3] http://cyber.law.harvard.edu/digitaldiscovery/digdisc_library_8.html
[4] http://library.findlaw.com/1999/Feb/22/128536.html
[5]
http://www.logicubeforensics.com/logicube/articles/cybersleuth_collecting
_digital_evidence.asp
[6]
http://books.google.com/books?id=nEqHuVht7HgC&dq=guidelines+on+collecting
+electronic+evidence&printsec=frontcover&source=in&hl=en&ei=Tfr7Sd-HKdKD-
QbpnPH_Aw&sa=X&oi=book_result&ct=result&resnum=11#PPR20,M1
[7] http://www.e-fense.com/helix
[8] http://www.encase.com
[9] http://www.paraben.com
[10] http://www.logicubeforensics.com/
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of John O Laoi
Sent: Monday, April 27, 2009 12:31
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: forensics procedure for PC analysis
Hello,
Does anyone have pointers to a full recommended procedure on
preserving PC data for forensic analysis?
I'm thinking about things like getting a full backup (using dd),
preserving the disks, graceful shutdown or not, etc.
My employer has asked me to look into drafting a policy to address
this, in situations where say illicit material has been lodged to
disk.
John
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught
by an expert with years of real pen testing experience.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- References:
- forensics procedure for PC analysis
- From: John O Laoi
- forensics procedure for PC analysis
- Prev by Date: Re: Tunnelling oneself?
- Next by Date: Re: IT Security policy for windows 2003 servers
- Previous by thread: RE: forensics procedure for PC analysis
- Next by thread: Re: Skills needed to become a Security Expert and Penetration Tester?
- Index(es):
Relevant Pages
|
