Best Practices for Computer Forensics in the field
Introduction
Computer forensics examiners are responsible for the technical acuity, knowledge of laws and objectivity throughout the investigation. The success is based on verifiable and repeatable results reported constitute direct evidence of the discharge potential or alleged misdeeds of principle. This article presents a set of best practices for computer forensics practitioners, representatives of the best evidence of acceptable solutions inField. Best practice is for processes that have repeatedly proven to be record of success in their use. This is not a cookbook. Best practices should be based on tested and applied to the specific needs of the organization, the case and the case
Setting.
Job Knowledge
An inspector can be informed so that when they go in a field. In many
Cases, clients or customers are the representative of thesome information about
How many systems are tailored to their specifications and their current status.
And how many times I am critical mistake. This is especially true when it comes to
the size of the hard drive, laptop computer cracking, hacking and password device
Interfaces. An attack that the device returns to the laboratory should always be
the first line of defense, providing maximum flexibility. If you need to make on-site
completeList occupation information to be collected before they were
the field. The list must be made of small steps, with a check box for each
Step. The examiner must be fully informed about their next step and not
"To think on their feet." On
About treasures
overestimation of costs by at least a factor of two the amount of time necessary to achieve the
Complete the work. This includes access to the device, the introduction of forensic
Acquisition withwriting good blocking strategy, the completion of
Office work and the chain of custody documentation, purchased a copy of the file
another device and restore the hardware to its original state. Note that you
Shop manuals can ask for you by the dismantling of small devices to access the direct
Drive, creating more problems in the acquisition and hardware
Restoration. Live by the Law of Murphy. Something is always a challenge and take
more than expected - even if you have already done many times.
Equipment Inventory
Most auditors have enough of a variety of devices that can run
sound forensic acquisitions in several ways. Decide in advance how
ideally like to implement the site acquisition. We all go to see equipment
intolerance or other poor people, a show stopper at the most critical.
Consider two letters Blockerand additional storage unit, and deleted
ready. Between jobs, be sure to check the device with an exercise in hash.
Double-check and an overview of all your kit with a checklist before takeoff.
flexible acquisition
Instead of trying to "make" best guess about the exact size of the difficult customer
Drive, the use of mass storage, and space is a problem, a capture format
Your data is compressed. After collecting the data,Copy data to another
Location. Many mayors are limited to acquisitions in which the traditional
The machine is cracked, remove the drive, behind a write-blocker and place
acquired. There are other methods for the collection provided by Linux
Operating system. Linux boot from a CD player, a researcher
processed without copying the hard drive. Be sufficiently familiar with the
Process to understand how to collect hashValues and other protocols. Live acquisition
is also discussed in this document. Let the drive again with the lawyer or the '
Customers and take the copy to your lab for analysis.
Pull the plug
is heated debate about what to do when a course
Machine. Two choices are clear, pull the plug or to perform a clean shutdown
(Assuming you can log in). Most auditors pull the plug, and this is the best way to
be avoided, that any kind of process "evil" is running, and can cancel
Deleting data, or a similar case. It also allows the auditor to provide access
a snapshot of the swap file and other system information, as was done last. E '
Note that pulling the plug can also damage some files from
the system so that they can not access available to test or users. Company
rather be in a clean shutdown and mustelection
spells out the consequences. It 'important to document how the machine was brought down
because it is absolutely essential knowledge for analysis.
Live Acquisitions
Another option is to make a purchase live. Some define "live" as a running
Machine as is, or for the purpose, the machine will be run during
the acquisition by any means. One method is to boot to an extent
LinuxEnvironment which sustains enough to capture an image from your hard drive
be changed (often under other forensic skills), but the kernel, not to touch
the host computer. Special versions are also those who use it for the examiner
to meet the AutoRun feature of Windows Incident Response. These require a
advanced knowledge of Linux and experience with computer forensics. This
Type of acquisition is ideal for when time orreasons of complexity, the dismantling of
The machine is not a reasonable choice.
Basics
A remarkably bold supervision by the auditor that often fail to boot
Device as soon as the hard drive out of it. Check the BIOS is absolutely critical to the
Possibility of analysis, fully validated. Date, time and reported in the BIOS
must be reported, especially when time zones is a problem. A large number of other
Informationavailable depending on the manufacturer wrote the BIOS software.
Note that the drive manufacturers can also hide some areas of the hard disk
(Protected Areas hardware) and your instrument of acquisition must be able to do a full
Copy bit-stream, which takes into account. Another key to the auditor
is to understand how the mechanism works Hash: Hash algorithms
better, some not necessarily for their technical merit, but as
theycan be seen in a situation in a courtroom.
Keep safely
The scanned images should be stored in a protected area, the environment is not static.
The auditor should have access to a locked safe in a locked office. The units must
stored in antistatic bag and protected through the use of packaging materials is not static, or
the original packing material. Each player has the name of the customer,
Attorney and testing. Some auditors CopyThe labels on the disc
Copy machine, if they have access to one during the acquisition and this should
stored with the appropriate paperwork. At the end of the day, was to connect each unit
with a chain of custody document, a job, and the number of test.
He pursued a policy
Many clients and lawyers are impulse purchase a computer for immediate
and then sit on the evidence for months. Ask the lawyer clear how long
They areready to take the tests for the lab and a filing fee for
Jobs critical or large. You can store critical information about a crime or civil
Action and while from a marketing perspective that may seem like a good idea to keep
A copy of the disk, it can perform better in terms of the case at all
Copies to the lawyer or the client with the appropriate chain of custody
Documentation.
Conclusion
ComputerThe auditors will have many ways in which site
Acquisition. At the same time, the identification of birds on site
The environment for the auditors. Tools can malfunction, time pressure can be severe,
Observers may add pressure and suspicion may be present. The auditor should take
impairs the maintenance of their instruments and the development of current knowledge
learn the best techniques for each situation. Using the best practices here
the auditor should be exceeded for almost any situation and can be prepared
The ability of appropriate targets and expectations for these expenses.
Danos tu comentario
Post a Comment