Security Basics mailing list archives
RE: forensics procedure for PC analysis
From: "Simon Thornton" <simon () thornton info>
Date: Sat, 2 May 2009 10:21:55 +0200
Hi John, The ACPO Guidelines [1] are a good starting place, The other links below [3],[4],[5] are more biased to US case law. The Helix CD [7] contains a number of standard forms for evidence collection as well as tools.
From a process point of view a few of the things you have to consider
things are: - just cause; before you start imaging a machine or breaching someones privacy you need to document the facts as to why you want to carry out an investigation. - privacy laws; targetting a machine for suspicious activity maybe ok for initial discovery but to target the user you are potentially breaching their privacy. What do your national laws say on this?. - Authorisation; Who needs to authorise an investigation and at what point is this required? - how far your e-discovery can go before you need to seek authorisation to continue - Search and seizure and the national laws around this (in some countries, such as Belgium) only the police have the legal right to search someone. - What information you collect during the search and seizure and the chain of custody - have forms for writing down the equipment/drive serial numbers, descriptions, - document document document; everything you do and collect must be documented, even mistakes. (these are only a few points, many more can be found on the links shown below). It helps if you have standardised collection tools such as Helix [7], Encase [8], Paraben [9], Logiccube [10] etc plus suitable write blockers. [1] http://www.acpo.police.uk/asp/policies/Data/ACPO%20Guidelines%20v18.pdf [2] http://www.auscert.org.au/render.html?it=2247 [3] http://cyber.law.harvard.edu/digitaldiscovery/digdisc_library_8.html [4] http://library.findlaw.com/1999/Feb/22/128536.html [5] http://www.logicubeforensics.com/logicube/articles/cybersleuth_collecting _digital_evidence.asp [6] http://books.google.com/books?id=nEqHuVht7HgC&dq=guidelines+on+collecting +electronic+evidence&printsec=frontcover&source=in&hl=en&ei=Tfr7Sd-HKdKD- QbpnPH_Aw&sa=X&oi=book_result&ct=result&resnum=11#PPR20,M1 [7] http://www.e-fense.com/helix [8] http://www.encase.com [9] http://www.paraben.com [10] http://www.logicubeforensics.com/ -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of John O Laoi Sent: Monday, April 27, 2009 12:31 To: security-basics () lists securityfocus com Subject: forensics procedure for PC analysis Hello, Does anyone have pointers to a full recommended procedure on preserving PC data for forensic analysis? I'm thinking about things like getting a full backup (using dd), preserving the disks, graceful shutdown or not, etc. My employer has asked me to look into drafting a policy to address this, in situations where say illicit material has been lodged to disk. John ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Attachment:
smime.p7s
Description:
Current thread:
- forensics procedure for PC analysis John O Laoi (May 01)
- Re: forensics procedure for PC analysis Richard Thomas (May 01)
- Re: forensics procedure for PC analysis max (May 01)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Dave Kleiman (May 06)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Simon Thornton (May 04)