±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35279
New Yesterday: 4 Visitors: 147

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Laptops for acquisition from external location - checklist

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

SilesianMan
Member
 

Laptops for acquisition from external location - checklist

Post Posted: Dec 31, 18 02:46

Hello all,

I am working in the company that has several offices around Europe, however, the digital forensic tasks are being done by one team, based in one of those locations.

It was agreed that acquisition and analysis will be done on place, where the DF team is located. Therefore, I need to create a short document/checklist how laptops should be sent to that team.

I created short list what should be involved/settled prior to sending:

*laptop should be turned off/maybe with battery detached if possible
*laptop should be sent together with power supply
*agreement from legal/manager
*serial numbers should be written down
*everything should be packed into the secure courier bag, bag's number should be recorded if possible
*package must be send with tracking option
*all numbers needs to be sent to the DF team for further verification

Decryption keys are done on the DF side.

Do you think of anything else that might be needed in such scenario?

Thank you in advance for any help. Have a great New Year Eve and whole upcoming 2019 Smile  
 
  

keydet89
Senior Member
 

Re: Laptops for acquisition from external location - checkli

Post Posted: Dec 31, 18 05:28

Just a thought, but in today's day and age of smart phones, digital photographs of serial numbers is quicker and more accurate than writing them down. Also, you get to see the condition and any additional markings.  
 
  

SilesianMan
Member
 

Re: Laptops for acquisition from external location - checkli

Post Posted: Dec 31, 18 06:35

- keydet89
Just a thought, but in today's day and age of smart phones, digital photographs of serial numbers is quicker and more accurate than writing them down. Also, you get to see the condition and any additional markings.


Good point, thank you.  
 
  

Bunnysniper
Senior Member
 

Re: Laptops for acquisition from external location - checklist

Post Posted: Dec 31, 18 08:27

- SilesianMan
Hello all,

I am working in the company that has several offices around Europe


How do you dump the memory and preserve it for further analysis? Make a memdump whenever possible and do a complete live analysis before you shut down the device. And check before that you really have the decryption key for Bitlocker or any other full-disk-encryption.


regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

jaclaz
Senior Member
 

Re: Laptops for acquisition from external location - checkli

Post Posted: Jan 03, 19 04:45

I would add *somewhere* a written document with the procedure to follow when (IF) - tracking or not - the parcel containing the (not imaged/analyzed) laptop is either lost or stolen in transit or given to a wrong addressee by the courier.

Personally (not being in any way a professional in the field, mind you) I wouldn't even think of sending such a not replaceable item via "normal" courier, I would want to choose a very reliable firm for the sending, and that will surely have:


*everything should be packed into the secure courier bag, bag's number should be recorded if possible
*package must be send with tracking option

both a tracking method and numbered bags, etc.

Following Bunnysniper advice I would anyway have *something* made "on site".

I believe there are two options:
1) a properly trained professional is anyway present on site and prepares the machine for the sending
or:
2) a generically trained representative (or the client himself) manages the packing and sending

If the idea is #2 I would think about making a video of the seizing and packing.

In any case, I would want the actual device wrapped inside a "tamper proof" ziplock bag or similar, since there is also the possibility (remote, I know) that the parcel is intercepted and contents modified.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

SilesianMan
Member
 

Re: Laptops for acquisition from external location - checkli

Post Posted: Jan 04, 19 03:18

@jaclaz and @Bunnysniper - thank you both for your answers.

What I am aiming for the future, is to have a trained professional geared up with write blocker, spare HDD/SSDs, evidence bags, etc. to make a copy on site, if possible. That's the future, for now, what we can do is to make sure, that all stuff will be sent to the DF team is secure manner.

Thank you and wish you all the best for 2019! Smile  
 
  

urq82
Newbie
 

Re: Laptops for acquisition from external location - checkli

Post Posted: Feb 02, 19 08:58

Hi,

Have you at all considered performing remote triage and acquisition before considering sending computers to the central team? I assume that the corporate computers are connected to a corporate network and powered on in many use-cases.

I have worked with several clients who have implemented a process similar to what I interpret your requirements are. I.e. use of e.g. F-Response together with Encase (or other tools), performing either covert or overt triage / acquisition / review in a timely manner.

Lawful Conditions:
Overt - with consent
Overt - by authority
Covert - by authority

Also memory acquisition as mentioned previously is possible to include in process. Acquisition to a local storage server or if bandwidth is ok directly to central site. Often other storage (such as user home drive) needs to be considered as well in the process.

Having computers/drives sent by courier between network connected sites is in my view not often required - and due to time constraints from an corporate investigation perspective, many times undesired. If an initial triage review defines that the computer should be secured for a future legal process, this can many times be done locally at the site involved.

I tried to attach a process picture of a "digital investigation readiness plan" but could not find a way to include a .jpg! Is there a solution to this in the forum?  
 

Page 1 of 2
Page 1, 2  Next