RE: forensics procedure for PC analysis

["Simon Thornton" <simon () thornton info>]

Hi John,

The ACPO Guidelines [1] are a good starting place, The other links below
[3],[4],[5] are more biased to US case law.

The Helix CD [7] contains a number of standard forms for evidence
collection as well as tools.

> From a process point of view a few of the things you have to consider
things are:

- just cause; before you start imaging a machine or breaching someones
privacy you need to document the facts as to why you want to carry out an
investigation.
- privacy laws; targetting a machine for suspicious activity maybe ok for
initial discovery but to target the user you are potentially breaching
their privacy. What do your national laws say on this?.
- Authorisation; Who needs to authorise an investigation and at what
point is this required?
- how far your e-discovery can go before you need to seek authorisation
to continue
- Search and seizure and the national laws around this (in some
countries, such as Belgium) only the police have the legal right to
search someone.
- What information you collect during the search and seizure and the
chain of custody
- have forms for writing down the equipment/drive serial numbers,
descriptions, 
- document document document; everything you do and collect must be
documented, even mistakes.

(these are only a few points, many more can be found on the links shown
below).

It helps if you have standardised collection tools such as Helix [7],
Encase [8], Paraben [9], Logiccube [10] etc plus suitable write blockers.



[1]
http://www.acpo.police.uk/asp/policies/Data/ACPO%20Guidelines%20v18.pdf 
[2] http://www.auscert.org.au/render.html?it=2247
[3] http://cyber.law.harvard.edu/digitaldiscovery/digdisc_library_8.html
[4] http://library.findlaw.com/1999/Feb/22/128536.html
[5]
http://www.logicubeforensics.com/logicube/articles/cybersleuth_collecting
_digital_evidence.asp
[6]
http://books.google.com/books?id=nEqHuVht7HgC&dq=guidelines+on+collecting
+electronic+evidence&printsec=frontcover&source=in&hl=en&ei=Tfr7Sd-HKdKD-
QbpnPH_Aw&sa=X&oi=book_result&ct=result&resnum=11#PPR20,M1
[7] http://www.e-fense.com/helix
[8] http://www.encase.com
[9] http://www.paraben.com
[10] http://www.logicubeforensics.com/

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of John O Laoi
Sent: Monday, April 27, 2009 12:31
To: security-basics () lists securityfocus com
Subject: forensics procedure for PC analysis

Hello,
Does anyone have pointers to a full recommended procedure on
preserving PC data for forensic analysis?
I'm thinking about things like getting a full backup (using dd),
preserving the disks, graceful shutdown or not, etc.

My employer has asked me to look into drafting a policy to address
this, in situations where say illicit material has been lodged to
disk.

John

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught
by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------

Attachment: smime.p7s
Description: