±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 170

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Evidence processing methodology

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

keydet89
Senior Member
 

Re: Evidence processing methodology

Post Posted: Dec 13, 05 19:43

youcefb9 mentioned some very useful data reduction techniques, ones that are widely used today..specifically, the use of hashes. However, given the rate at which updates to operating systems occur, the number of files that ship with many applications, etc., it is difficult at best to maintain the list of known good hashes. The same is true with known bads, and especially illicit images, as the flipping of a single bit (let alone modifying the size or transforming using another algorithm, such as JPG -> TIFF) changes the hash.

On Windows systems in particular, I would suggest that the filter phase include processes for classification based on hash comparison, file signature analysis, metadata retrieval, header analysis (for PE files) as well as correlation with Registry artifacts (ie, autostart locations, services, etc.).

Automating all of this will serve to greatly reduce the amount of data that must be analyzed.

As mentioned previously, keyword searches can produce dubious results.

Harlan  
 

Page 2 of 2
Page Previous  1, 2