RE: forensics procedure for PC analysis



Hi John,

The ACPO Guidelines [1] are a good starting place, The other links below
[3],[4],[5] are more biased to US case law.

The Helix CD [7] contains a number of standard forms for evidence
collection as well as tools.

From a process point of view a few of the things you have to consider
things are:

- just cause; before you start imaging a machine or breaching someones
privacy you need to document the facts as to why you want to carry out an
investigation.
- privacy laws; targetting a machine for suspicious activity maybe ok for
initial discovery but to target the user you are potentially breaching
their privacy. What do your national laws say on this?.
- Authorisation; Who needs to authorise an investigation and at what
point is this required?
- how far your e-discovery can go before you need to seek authorisation
to continue
- Search and seizure and the national laws around this (in some
countries, such as Belgium) only the police have the legal right to
search someone.
- What information you collect during the search and seizure and the
chain of custody
- have forms for writing down the equipment/drive serial numbers,
descriptions,
- document document document; everything you do and collect must be
documented, even mistakes.

(these are only a few points, many more can be found on the links shown
below).

It helps if you have standardised collection tools such as Helix [7],
Encase [8], Paraben [9], Logiccube [10] etc plus suitable write blockers.



[1]
http://www.acpo.police.uk/asp/policies/Data/ACPO%20Guidelines%20v18.pdf
[2] http://www.auscert.org.au/render.html?it=2247
[3] http://cyber.law.harvard.edu/digitaldiscovery/digdisc_library_8.html
[4] http://library.findlaw.com/1999/Feb/22/128536.html
[5]
http://www.logicubeforensics.com/logicube/articles/cybersleuth_collecting
_digital_evidence.asp
[6]
http://books.google.com/books?id=nEqHuVht7HgC&dq=guidelines+on+collecting
+electronic+evidence&printsec=frontcover&source=in&hl=en&ei=Tfr7Sd-HKdKD-
QbpnPH_Aw&sa=X&oi=book_result&ct=result&resnum=11#PPR20,M1
[7] http://www.e-fense.com/helix
[8] http://www.encase.com
[9] http://www.paraben.com
[10] http://www.logicubeforensics.com/

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of John O Laoi
Sent: Monday, April 27, 2009 12:31
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: forensics procedure for PC analysis

Hello,
Does anyone have pointers to a full recommended procedure on
preserving PC data for forensic analysis?
I'm thinking about things like getting a full backup (using dd),
preserving the disks, graceful shutdown or not, etc.

My employer has asked me to look into drafting a policy to address
this, in situations where say illicit material has been lodged to
disk.

John

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught
by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME cryptographic signature



Relevant Pages

  • Re: Getting annoyed with Centenary camp
    ... shows that somebody has looked at my certificates? ... If Authorisations were to a set standard they would be a good thing, ... instruct novices in climbing and belaying and ensure their safety. ... Try getting a Scout Authorisation for kayaking in our County ...
    (uk.rec.scouting)
  • Re: BCUs grand plans get under way.
    ... Leader you need authorisation and the target here is Lave Two (though ... BCU award ... Activities sets authorisation lower than the NGB already authorises? ... think that pushing the standard higher than the NGB is, ...
    (uk.rec.scouting)
  • Re: Police thuggery against peaceful female protestor
    ... Perhaps you can explain your acceptance of this double standard. ... The police are authorised by the people through the laws that have been passed in their name to use necessary force in the interests of maintaining law and order. ... Protestors have no such authorisation. ...
    (uk.legal)
  • Re: Over the Parrot
    ... standards which required a NGB type qualification. ... But there has never been a requirement to hold the actual NGB award ... for authorisation or permit. ... training to the standard of the NGB award and you'd be assessed to ...
    (uk.rec.scouting)
  • Re: Comparative Genocide
    ... I wouldn't be surprised given that the standard figure is usually given as ... Add in all the other groups who weren't Jews and conflate them ... The fourth issue of Helix is at http://www.helixsf.com ... The tenth Ethshar novel has been serialized at http://www.ethshar.com/thevondishambassador1.html ...
    (rec.arts.sf.written)