Security Incidents mailing list archives
Litigious investigation methodology
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 10 Jun 2004 04:45:40 -0700 (PDT)
All, I posted a cursory methodology for Windows systems last night, and based on some posts I saw this morning, wanted to pose a question or two... Mark's simple data collection methodology is a good one (albiet some of the references to "analysis" should read "collection"), and someone pointed out to him that it's not useful for litigious investigations (ie, investigations that lead to law enforcement involvement). After reviewing other sources, I have to ask...why? What is it specifically about his methodology that prevents it from being used in pursuit of a litigious investigation? Is it b/c some of the tools are run from the victim system rather than the CD? Is it b/c the output of the tools is written to a diskette, and those diskettes can be "infected" with malware, just b/c they are writable? What I'm getting at here is that rather than simply pointing out the flaws in something, let's try making suggestions for improvement. Take the methodology I developed for my book, the Forensic Server Project (code and instructions available at http://www.windows-ir.com), for example. Tools are run from a CD, and the output of the tools is transported off of the system via the network to a waiting server system. The server component handles documentation/logging, generation of hashes (verification of hashes if files are copies off of the system, etc.). Is such a methodology sufficient? If you've got questions about the FSP, feel free to ask. The goal here is to produce something that can be used.
Current thread:
- Litigious investigation methodology Harlan Carvey (Jun 10)