±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Evidence processing methodology

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 

Senior Member

Evidence processing methodology

Post Posted: Dec 09, 05 01:28

I'm curious to know how everyone goes about processing their evidence. What are your must get areas of the disk? Do you follow a standard procedure to try to collect as much as possible with the least effort?

I aim for:
deleted files - including malware
mac times
swap -file slack -unallocated
a keyword search
then move in to internet history and registry, although I am thinking of putting the registry a bit higher in the list.  

Senior Member

Re: Evidence processing methodology

Post Posted: Dec 09, 05 17:33

I'm thinking that in most cases, it really depends upon the case.

For example, with some cases, is it necessary to develop a timeline of activity on the system? If so, are other sources considered besides file MAC times? Say, log files? On Windows systems, how about Registry key LastWrite times?

How useful is a keyword search, in some cases? Say, within the Registry? Sure, it works sometimes, but not all entries that may pertain to some activity are maintained as ASCII strings...some are ROT-13 strings, others are binary data types, etc.


Senior Member

Re: Evidence processing methodology

Post Posted: Dec 09, 05 22:07

Depends on the scope defined for the case.
For example:
Recently I worked on a email / chat related case. I did get the forensic image. I used FTK and at the beginning of the wizard I chose email investigation only. It is a nice feature and the evidence processing doesn't take forever. I did validate my results against email and chat examiner.
So basically I rather invest extra time validating the results than going out of scope of the investigation.

The list you provide is thorough though. If there are irregularities or discrepancies in the investigation this is a good list to start with.  


Re: Evidence processing methodology

Post Posted: Dec 12, 05 16:59

Do you think there is a place for a forensics analysis methodology that will assist in the mining of evidence out of all the data available?

I am looking at standard data mining methodologies and developing a methodology to assist with the finding of evidence - I call it Evidence Mining.

We hope to then adapt some of the advanced data mining type algorithms to make it applicable in evidence mining.

What's the general feeling? Is this a worthwhile route to follow?  

Senior Member

Re: Evidence processing methodology

Post Posted: Dec 12, 05 20:24


> What's the general feeling? Is this a worthwhile route to follow?

This definitely has potential, but without knowing more about what it is you plan to do, what you actually plan to implement, it's hard to tell.



Re: Evidence processing methodology

Post Posted: Dec 13, 05 06:02

I've used Eoghan casey's examination methodlogy and found it to be extremly useful for gleannig evidence. of course in certain cases this methodlogy would need to be enhanced to cater for specific attacks.

In general the methodlogy is composed of these steps:

- listing: create a list of all files and direcories in the system (including deleted files). this listing should show file names, sizes, MAC times, MD5 hashes, ...etc.

- recovery: recovers deleted files, unallocated space, file slack, ...etc.

- filter: uses a database of known good hashes and known bad hahses to filter the files into a smaller subset by ignore noisy data (like OS files, known applications, ..etc).

- process: using the small subset, try to categorise it into types using the magic number.

after the process phase, you would eventually find yourself touching on specific data types where more focused analysis will take place. This what I call the application layer analysis where analysis of artifcats like IE, Outlook, Registry, ..etc, will take place.

This methodology is more thorough and may not be suited to all cases, but for educautoal purposes and, in some cases, is the best bet you can have.

Other methdology tend to use keyword search as an assessment of worth, and then follow it by focused analysis. this only works if you are looking for specific data types, and you know the inherent vulnerabiltiy of tools in hand i.e. physical keyword search vs logical keyword search.




Re: Evidence processing methodology

Post Posted: Dec 13, 05 12:59

It varies from case to case. However, the Computer Forensic Examiner
may use specific methods for analysis considering the case history-
(1)Cases related to E mail abuse/ child pornography: Specific attention may be given to chat log, e-mail ids, user names, alias, images depicting minors in sexual context, information about digital camera, scanners, ISP logs etc.
(2)Cases related to frauds: Specific attention may be given to images of controlled documents used for counterfeiting, use of advanced desktop tools like Photoshop, carol draw etc. Information about the scanners, high-end printers installed in system etc.
(3)Cases related to data theft/ hacking: Specific attention to be given to user logs, e-mail accounts, e-mail IDs, ISP used, network configurations and users, system logs, passwords, user names, installed Trojans, installed removable devices etc.
During analysis one may follow following steps (general)-
(1) Extraction
(2)Data Filtering
(3)File list & hash value generation
(4)Recovery of deleted files, slack & unassigned clusters
(5)Remival of known/unnecessary/duplicate files
(6)Identification & decryption of encrypted files
(7)Email extraction etc.
The specific analysis method may be used depending upon the case history and investigating agencies request-
(1)Timeframe analysis
(2)Data hiding analysis
(3)File analysis
(4)Documenting & reporting

Page 1 of 2
Page 1, 2  Next