RE: First Investigation - Need advice

["Ken Keeler" <kelekelr () hotmail com>]

Hello,

First thing you might want to do differently is to not videotape everything. 
Every single detail of what you do would be subject to review. Regardless if 
anything was done incorrectly the defense/opposition has the chance to 
critique and question every single action which you then have to explain and 
defend. I would cancel the videotape, especially since it sounds like you 
will be using the software for the forensics investigation for the first 
time. I don't know the particulars on the search and seizure so maybe you 
would want videotape for reasons other than showing the forensics/evidence 
seizure steps taken. If you don't need videotape for some other reason how 
about taking digital photo's of the scene and the steps you took like 
sealing the drives in a bag. Photo's provide a dated snapshot in time of the 
scene yet does not provide every single nuance for debate.

Do a google search for "chain of evidence", do some reading on that. Have a 
chain of evidence document to catalog your evidence (you can find examples 
by googling for that as well).

Also consider where the evidence is stored overnight and over time. Is it in 
a locked room with access control , is there a safe, a cage or a locking 
filing cabinet inside of the room for storage of the media/evidence? How 
many people have access to the evidence or potentially could have access, is 
there an audit log of room access? You want to have access to the evidence 
restricted.

Documenting (have some sort of log file for this) each step of what you do 
during the forensics investigation is a solid idea.

Make sure your HD image is a bit for bit image, DD is free just make sure 
that you have clean copy from somewhere, MD5 it to be sure. Also you can use 
CryptCat a more secure NetCat during your transfer of the DD image. Be 
positive that you are not writing any data (write blocker) to the HD that 
you are aquiring.

As far as which tools to use doing the forensics investigation that are free 
or low cost... Maybe someone else can provide you with some ideas on that. 
Something to seriously consider is wether or not a free or low cost tool has 
ever been tested in court and if was acceptable... If not and you use it and 
it is challenged in court do you have the knowledge and expertise in 
forensics and with that tool to prove that it does provide forensically 
sound evidence? A free tool may end being more expensive than you thought.

Why not ask local/state/federal law enforcement for tips on the right way to 
do this? Many law enforcement agencies are interested in building 
relationships with the private sector, you may be able to help them out one 
of these days.. If you explain what and why you are asking you very well may 
find someone that can at least provide you some good general guidelines.

I wouldn't want my first aquisition or analysis to be the real thing, I 
would do some practice runs with some drives before going live. As far as 
how hard can it be... The best advice I could give you is to hire someone to 
do this for you this time and send someone from your company to training on 
court tested commercial forensics software (if you would like my 
recommendation on which product let me know, I been to multiple courses each 
at  I would say the top two forensics vendors out there), forensics is not 
something to throw together at the last minute...

Good luck to you.
(The forensics list might get you some more detailed responses than the 
basics list)

-----Original Message-----
From: forensic Helpwanted [mailto:forensichelpwanted () fsmail net]
Sent: Friday, March 12, 2004 1:30 AM
To: security-basics () securityfocus com
Subject: First Investigation - Need advice


Hi



I have been tasked with carrying out a search and seize with the aid of a 
court order.  I can't ask local law enforcement as it is a civil matter, but 
I need a little help and figured this should be a good place to find it.



I do have some knowledge and experience from when I was studying for the 
CISSP exam, I passed, but do not have any forensic hands-on experience.



What I am basically looking for is a list of tools that I can get my hands 
on quickly and cheaply, and if possible a checklist or methodology to work 
to.



I know this should be left to the experts, but time constraints and budget 
mean this is not possible, besides how hard can it be.  <g>



We have 2 locations to "raid" simultaneously, so I will be at one site, and 
a colleague at another.



The plan thus far is....



Video record everything from entry to the building, to sealing a image of 
the machines in question into polythene type bags, and signing over the top 
of them.  Also, the investigation into the data will be recorded on video.



Two images will be taken on site, one for sealing in the bag, another as the 
"working copy".  These will be MD5 checksummed, and the hash recorded on 
paper.  The sealed copy will go to a secure storage location for appearance 
in court, and the working copy used to gather evidence.  The original will 
be returned to its owner.



Each and every step taken, will be recorded, and witnessed, and signed off 
by the person who takes the action, the person who witnesses, and the person 
who recorded the activity.



All personnel involved will be available for court dates should it come to 
that.  But we strongly believe that the required information will be gained 
from one of the two locations, and that will be enough for the "plaintiff" 
to present to the "defendant" so that a settlement can be reached.



Have I missed anything fundamental?  Are there some other steps I should 
take?  What tools, methods should be used to gather the images and 
interrogate the images when gathered?

_________________________________________________________________
Frustrated with dial-up? Lightning-fast Internet access for as low as 
$29.95/month. http://click.atdmt.com/AVE/go/onm00200360ave/direct/01/


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------