±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 7
Overall: 27333
Visitors: 49

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Project Help: Common Investigation Searches

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Project Help: Common Investigation Searches

Post Posted: Sun Feb 03, 2013 9:46 am

I'm a student currently studying Computer Forensics, for one of our modules we have been tasked to come up with any idea as long as we work as a team. We have an idea we wish to build upon. We are going to make a website / Interactive guide into computer forensics investigation, an introductory guide for new computer forensics students when it comes to doing things such as their first forensic investigation. The idea came about from the challenges we faced when doing the Nist computer hacking case questions because of the limited time we have , we have decided to focus on windows computers but if we have enough time we would love to expand onto other OS's and to more advanced forensics techniques. I was just wondering what are the most common things you find have to be found when it comes to investigating such as the username, last logged on time or anything you think should be considered a basic/core technique that should be taught first.


Any other ideas or criticism welcome.  

Gingiee
Newbie
 
 
  

Re: Project Help: Common Investigation Searches

Post Posted: Mon Feb 04, 2013 12:17 am

- Gingiee
We are going to make a website / Interactive guide into computer forensics investigation, an introductory guide for new computer forensics students when it comes to doing things such as their first forensic investigation.


Why create a new one, why not re-use an existing one e.g. forensicswiki.org?

- Gingiee
The idea came about from the challenges we faced when doing the Nist computer hacking case questions because of the limited time we have , we have decided to focus on windows computers but if we have enough time we would love to expand onto other OS's and to more advanced forensics techniques. I was just wondering what are the most common things you find have to be found when it comes to investigating such as the username, last logged on time or anything you think should be considered a basic/core technique that should be taught first.

Any other ideas or criticism welcome.


Finding these pieces of information is highly dependent on the case you're dealing with. When new to computer forensic analysis it is important to know about systems, to get a feeling for them. So yes, building a knowledge base and maybe a step-by-step walk-through of simple cases can give you a good basis.

However in long term you'll notice that doing computer forensic analysis is much more about coming up with good investigative questions than finding these pieces of information. Since as soon as you determine how you can find a piece of information, you can automate this.

Now finding new pieces of information that's the hard part.  

joachimm
Senior Member
 
 
  

Re: Project Help: Common Investigation Searches

Post Posted: Mon Feb 04, 2013 8:37 am

- Gingiee
We are going to make a website / Interactive guide into computer forensics investigation, an introductory guide for new computer forensics students when it comes to doing things such as their first forensic investigation.


snip

- Gingiee
I was just wondering what are the most common things you find have to be found when it comes to investigating such as the username, last logged on time or anything you think should be considered a basic/core technique that should be taught first.


This is pretty much the reason why I posted about the Analysis Matrix:

windowsir.blogspot.com...atrix.html

By categorizing artifacts, an analyst does not have to remember specific things like what you've asked. By understanding the goals of the exam, what the analyst needs to determine, they can then map that information to the artifact categories, collect the "low hanging fruit", and get to analysis much faster.

The Forensic Scanner allows analysts to implement the Analysis Matrix, rather than having a checklist and an image, and a gap between implementing the checklist against the image:

windowsir.blogspot.com...anner.html  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1