A day in the life o...
 
Notifications
Clear all

A day in the life of a Forensics Investigator

11 Posts
7 Users
0 Likes
1,156 Views
(@secret_squirrel)
Posts: 38
Eminent Member
Topic starter
 

Hi everyone,

I have been playing multiple roles in my job, from network administration to email admininstration to Desktop audits and Network security.

I have been given an opprotunity to join and a newly created Security Division for my state gov.

They have never had a division like this before and they are asking how broad of a spectrum could security cover.

I have to create a mock job description. My cuurent training has been Ec-council's CHFI, CEH and Miles 2 CPTS.

I was wondering if any of you guys come from the same skillset and if you could tell me a lttile of what you day is like. from a job function point of view.

I have thought about the following

Vulnerability assessments ( at least baseline scanning ).
System auditing
Desktop audits
Forensic audits
Data recovery
Log reading
IDS, web filtering management
Audting Patch Management

any help would be great!!

 
Posted : 21/10/2005 7:29 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Congrats on your new oppurtunity.

Hope this helps. You are welcome to contact me offline if you have need for further help.

Vulnerability assessments
1) Very important for managing risk.
2) My recomendation would be to run a network discovery and classify the network devices in a tier model. For example, all Internet facing devices would be Tier1. Internal LAN devices would be Tier2 and rest Tier3.
3) Develop a cross funtional team for remediation of assessment results 4) Schedule your scans and make sure all the application owners, device owners are aware you are going to run the scan.
5) Publish results.
6) Remediation team completes their patching.
7) Re-Scan to validate remediation
8) Repeat this process monthly or as neccesary.
I don't know what vulnerability scanner you plan to use? I suggest QualysGuard.

System Auditing
1) Determine a central location to store event logs.
2) Use EventComb (free util) to run scans and archive findings.

Desktop Audits
I recommend this making a part of your vulnerability assessments. Maybe Tier3. QualysGuard appliance supports this.

Forensic Audits
Not clear on this objective. Can you provide additional info.

Data Reccovery
Most forensic tools (hardware and software) can also be used for data recovery. Have a repeatable process with standard tools. Ontrack Data Recovery tools are impressive.

Log Reading
EventComb is a good tool to collect events logs and dump them to a access database, csv format etc. A lot of commercail tools are available as well if.

IDS, Web Filtering
Implement a Internet Proxy. BlueCoat has a good appliance.

Audit Patch management
Again, make this part of vulnerability assessments. QualysGuard can audit against missing patches.

Note
In no way I am promoting any devices or programs. These are just recommendation from my experience.

 
Posted : 22/10/2005 8:42 am
(@robogeek)
Posts: 17
Active Member
 

Just a quick note on the data recovery..

Most of the commercial tools will change filenames, access times, MD5's and other things. Don't use these for any forensic work except investigative. The data recovered won't hold up in court.

Also most data recoveries are hardware/firmware failures. Drives need to be made functional before recovery is attempted. For each make you'll want to develop a procedure, since they all differ - i.e. WD S.M.A.R.T. errors, Maxtor P-list/G-list problems, etc..

 
Posted : 22/10/2005 11:14 pm
(@armresl)
Posts: 1011
Noble Member
 

The statement that about recovered data changing md5's, access times, etc not holding up in court is not accurate.

In that same breath you would have to throw out anything found in freespace or file slack because of the same problems either not having a file name or an extension.

Plenty of times I have gone in court with drives that I have used a program on for a logical recovery or a raw recovery and I have not been given a problem one time and every time the evidence was admitted.

I can say that if you do forensic work and don't run data recovery tools on the drives you are working on, then there is a strong possiblity that you are missing some very good information.

 
Posted : 24/10/2005 7:26 pm
(@robogeek)
Posts: 17
Active Member
 

I'm sorry.. but I've had evidence tossed out for that very reason. If I have to rebuild a corrupted file, or one from a damaged drive all you have to do is ask me under oath if I'm sure that file is exactly the same as it was originally and I have to say no. No judge will allow altered evidence to be admitted.
I've had things tossed because the file's last accessed time was when the defendant was in jail.
Thats why you lock drives and disable write access

 
Posted : 24/10/2005 11:11 pm
Wardy
(@wardy)
Posts: 149
Estimable Member
 

Wouldn't it be more advisable to forensically copy the hard disk drive, clone it onto a drive with identical spec and use the clone to work from? The original evidence has never been tampered with, data recovery tools may still be ran.

If the court have concerns regarding the changing of evidence/tampering, by using a second clone drive, you could demonstrate your methods to the court without altering the original evidence!

 
Posted : 25/10/2005 11:40 am
(@armresl)
Posts: 1011
Noble Member
 

Whenever data was questioned we have asked for a break to go get what both sides agreed was a copy of the original drive and been able to show the data on that drive.

Judges can take evidence under advisement and let the trial go on without making a ruling on the admissibility at that time.

 
Posted : 25/10/2005 8:22 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Wouldn't it be more advisable to forensically copy the hard disk drive, clone it onto a drive with identical spec and use the clone to work from? The original evidence has never been tampered with, data recovery tools may still be ran.

If the court have concerns regarding the changing of evidence/tampering, by using a second clone drive, you could demonstrate your methods to the court without altering the original evidence!

I think this is possible, but you are open to more questions than are necessary. As you work from the clone you are altering it. I like to check and point out in my reports that the image I'm working from is a true image, both at the beginning of an analysis, and at it's conclusion. Otherwise you are pulling evidence off a clone that is not a true image from the moment you begin your analysis. You could mitigate this somewhat by attaching your clone via a write blocking device, but it will limit what functions you can perform on the drive and be more frustrating than fruitful.

 
Posted : 26/10/2005 6:23 pm
(@zyborski)
Posts: 12
Active Member
 

In relation to data recovery.

In the 'truest' sense most forensic tools are not adequate for data recovery purpose, as they will only image the sectors that they can easily read (certainly true of Encase prior to V5 where one bad sector in 64 resulted in 64 dropped sectors). True data recovery tools work very differently to 'imaging' products.

Attempting data recovery techniques on a 'cloned' copy of the original MAY therefore result in missed data

just a thought…..

 
Posted : 26/10/2005 11:19 pm
Wardy
(@wardy)
Posts: 149
Estimable Member
 

In relation to data recovery.

In the 'truest' sense most forensic tools are not adequate for data recovery purpose, as they will only image the sectors that they can easily read (certainly true of Encase prior to V5 where one bad sector in 64 resulted in 64 dropped sectors). True data recovery tools work very differently to 'imaging' products.

Attempting data recovery techniques on a 'cloned' copy of the original MAY therefore result in missed data

just a thought…..

You are absolutely right. I had based by answer upon the drive not suffering with bad sectors.

 
Posted : 27/10/2005 2:18 pm
Page 1 / 2
Share: