±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35503
New Yesterday: 0 Visitors: 121

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

A day in the life of a Forensics Investigator

Discussion of computer forensics employment and career issues.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

secret_squirrel
Member
 

A day in the life of a Forensics Investigator

Post Posted: Oct 21, 05 19:29

Hi everyone,

I have been playing multiple roles in my job, from network administration to email admininstration to Desktop audits and Network security.

I have been given an opprotunity to join and a newly created Security Division for my state gov.

They have never had a division like this before and they are asking how broad of a spectrum could security cover.

I have to create a mock job description. My cuurent training has been Ec-council's CHFI, CEH and Miles 2 CPTS.

I was wondering if any of you guys come from the same skillset and if you could tell me a lttile of what you day is like. from a job function point of view.

I have thought about the following:

Vulnerability assessments ( at least baseline scanning ).
System auditing
Desktop audits
Forensic audits
Data recovery
Log reading
IDS, web filtering management
Audting Patch Management


any help would be great!!  
 
  

arashiryu
Senior Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 22, 05 08:42

Congrats on your new oppurtunity.

Hope this helps. You are welcome to contact me offline if you have need for further help.

Vulnerability assessments
1) Very important for managing risk.
2) My recomendation would be to run a network discovery and classify the network devices in a tier model. For example, all Internet facing devices would be Tier1. Internal LAN devices would be Tier2 and rest Tier3.
3) Develop a cross funtional team for remediation of assessment results 4) Schedule your scans and make sure all the application owners, device owners are aware you are going to run the scan.
5) Publish results.
6) Remediation team completes their patching.
7) Re-Scan to validate remediation
Cool Repeat this process monthly or as neccesary.
I don't know what vulnerability scanner you plan to use? I suggest QualysGuard.

System Auditing
1) Determine a central location to store event logs.
2) Use EventComb (free util) to run scans and archive findings.

Desktop Audits
I recommend this making a part of your vulnerability assessments. Maybe Tier3. QualysGuard appliance supports this.

Forensic Audits
Not clear on this objective. Can you provide additional info.

Data Reccovery
Most forensic tools (hardware and software) can also be used for data recovery. Have a repeatable process with standard tools. Ontrack Data Recovery tools are impressive.

Log Reading
EventComb is a good tool to collect events logs and dump them to a access database, csv format etc. A lot of commercail tools are available as well if.

IDS, Web Filtering
Implement a Internet Proxy. BlueCoat has a good appliance.

Audit Patch management
Again, make this part of vulnerability assessments. QualysGuard can audit against missing patches.

Note:
In no way I am promoting any devices or programs. These are just recommendation from my experience.  
 
  

RoboGeek
Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 22, 05 23:14

Just a quick note on the data recovery..

Most of the commercial tools will change filenames, access times, MD5's and other things. Don't use these for any forensic work except investigative. The data recovered won't hold up in court.

Also most data recoveries are hardware/firmware failures. Drives need to be made functional before recovery is attempted. For each make you'll want to develop a procedure, since they all differ - i.e. WD S.M.A.R.T. errors, Maxtor P-list/G-list problems, etc..
_________________
I used to be a lifeguard, but some blue kid got me fired.

Business Network Solutions 
 
  

armresl
Senior Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 24, 05 19:26

The statement that about recovered data changing md5's, access times, etc not holding up in court is not accurate.

In that same breath you would have to throw out anything found in freespace or file slack because of the same problems either not having a file name or an extension.

Plenty of times I have gone in court with drives that I have used a program on for a logical recovery or a raw recovery and I have not been given a problem one time and every time the evidence was admitted.

I can say that if you do forensic work and don't run data recovery tools on the drives you are working on, then there is a strong possiblity that you are missing some very good information.
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

RoboGeek
Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 24, 05 23:11

I'm sorry.. but I've had evidence tossed out for that very reason. If I have to rebuild a corrupted file, or one from a damaged drive all you have to do is ask me under oath if I'm sure that file is exactly the same as it was originally and I have to say no. No judge will allow altered evidence to be admitted.
I've had things tossed because the file's last accessed time was when the defendant was in jail.
Thats why you lock drives and disable write access
_________________
I used to be a lifeguard, but some blue kid got me fired.

Business Network Solutions 
 
  

Wardy
Senior Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 25, 05 11:40

Wouldn't it be more advisable to forensically copy the hard disk drive, clone it onto a drive with identical spec and use the clone to work from? The original evidence has never been tampered with, data recovery tools may still be ran.

If the court have concerns regarding the changing of evidence/tampering, by using a second clone drive, you could demonstrate your methods to the court without altering the original evidence!  
 
  

armresl
Senior Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 25, 05 20:22

Whenever data was questioned we have asked for a break to go get what both sides agreed was a copy of the original drive and been able to show the data on that drive.

Judges can take evidence under advisement and let the trial go on without making a ruling on the admissibility at that time.
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 

Page 1 of 2
Page 1, 2  Next