±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 110

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

What is "forensically sound"?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

keydet89
Senior Member
 

What is "forensically sound"?

Post Posted: Oct 17, 05 23:30

What constitutes a "forensically sound" process?

Let's begin from a common starting point...a live Windows system that cannot be taken down. Generally speaking, what constitutes a "forensically sound" process for collecting data from that system?

Then, how would you go about doing so?

As responses begin to come in, I'll present my views, so that others can critique/discuss them.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

nbeattie
Member
 

Re: What is "forensically sound"?

Post Posted: Oct 18, 05 00:50

Are we talking about collecting evidence that is admissable in a court of law ?

Also, what do you mean by a live system - do you mean one that is connected to a network with people accessing it ?

Surely the process would depend on what you are trying to prove.

If it is the existence of a file on a server, then this would be no problem on a live system.  
 
  

keydet89
Senior Member
 

Re: What is "forensically sound"?

Post Posted: Oct 18, 05 02:05

Excellent questions!

Are we talking about collecting evidence that is admissable in a court of law ?


Let's say that you're investigating a system that may be subject to further investigation by LEOs, and may end up going to court. However, at this time, that doesn't appear to be the case.

There's a reason I'm bringing up this specific type of incident...it's what many professional incident responders are being called to respond to. I've been confirming this with several folks who do this sort of thing, exclusively, for a living.

What's happening is that laws such as SB-1386 require reporting of security incidents (in the case of SB-1386, for incidents involving the exposure of personal data of CA residents), and corporations do not want to report an incident (a) when there isn't one, and (b) until they fully understand the nature of the incident. Why call law enforcement if you don't know the extent of the incident? Law enforcement involvement leading to public disclosure is one of the biggest reasons companies are reporting in surveys for NOT calling law enforcement.

Continuing...for the purposes of this example, let's say that it's a user or employee's workstation, and doesn't offer up any services (ie, it's not a public web server). The concern in this case is that the employee has stolen data, and may have installed a Trojan or backdoor.

So...what's a "forensically sound" process from removing and analyzing volatile data?

Now, let's say you have an e-commerce server (web server, with the database backend located on another system)...what do you do to determine whether the system has been compromised and/or malware installed, knowing that you can't take the system down? How do you collect and analyze data in a "forensically sound" manner?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

Juniper
Member
 

Re: What is "forensically sound"?

Post Posted: Oct 18, 05 12:35

I am in no way an expert at this, however, here are my opinions:

A forensically sound process in the example case would be to gather evidence without disturbing the "live System".ie You do not make any changes to the system while you conduct the investigation. There are many methods available to do this.

This is the least one can expect should the case end up in court.

More importantly, all the actions you take once the case is presented to you should be viewed as something that should withstand the scrutiny of other experts in the field as well as some clever lawyers:

Making an initial assessment
Creating a detailed & proven methodology of how you are going to approach the case.
Recognising what tools you will need to conduct the investigation.
Recognising the risks involved
Analyze and/or recover the evidence
Investigate/Scrutinize your findings
complete the case.

In my opinion each of the above is as important as the other. Professionalism is paramount.

The words "proven methodology" are key. I do not think this is any different than using the words "forensically sound". I think the whole prcess - from start to finish - should be conducted according to standard procedure and herein lies the problem. The processes involved would, I suspect, be different from country to country and even state to state (America).

Juniper  
 
  

keydet89
Senior Member
 

Re: What is "forensically sound"?

Post Posted: Oct 18, 05 16:21

Juniper,

Excellent comments!

More importantly, all the actions you take once the case is presented to you should be viewed as something that should withstand the scrutiny of other experts in the field as well as some clever lawyers:


and

The words "proven methodology" are key.


Agreed.

Now...what, in your mind, would that methodology consist of? What information would you collect, and how would you recommend collecting it (ie, which tools)? How would you implement that process/methodology, given the example cases?

This is what I'm trying to get at. I have my own opinion as to how to implement the process/methodology, but as you said, it as to stand up to scrutiny by other professionals in the field. So how do we go about setting up such a process/methodology?

The processes involved would, I suspect, be different from country to country and even state to state (America).


Can you elaborate on why that would be the case?

Thanks!

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

Juniper
Member
 

Re: What is "forensically sound"?

Post Posted: Oct 19, 05 18:18

OK - In terms of "First Responders":

I think the ACPO guideline as outlined here would be a good start:

[url=http://www.dataclinic.co.uk/ACPO%20Guide%20v3.0.pdf]

In terms of collecting the physical evidence, i'm afraid I do not have the necessary skills or experience to comment.

In terms of differences of laws and methodolgy from country to country - it is too wide an issue to discuss, however, each Forensic Analyst should be aware of the laws where he/she operates. Also, importantly, they should be aware of policies and procedures pertaining to individual businesses and company's they are operating in.  
 
  

armresl
Senior Member
 

Re: What is "forensically sound"?

Post Posted: Oct 19, 05 23:41

"Let's say that you're investigating a system that may be subject to further investigation by LEOs, and may end up going to court. However, at this time, that doesn't appear to be the case."


Every case should be handled like it will be going to court and that there will be an expert on the other side who rivals or surpasses your intelligence on the subject matter.
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 

Page 1 of 2
Page 1, 2  Next