I'm a student currently studying Computer Forensics, for one of our modules we have been tasked to come up with any idea as long as we work as a team. We have an idea we wish to build upon. We are going to make a website / Interactive guide into computer forensics investigation, an introductory guide for new computer forensics students when it comes to doing things such as their first forensic investigation. The idea came about from the challenges we faced when doing the Nist computer hacking case questions because of the limited time we have , we have decided to focus on windows computers but if we have enough time we would love to expand onto other OS's and to more advanced forensics techniques. I was just wondering what are the most common things you find have to be found when it comes to investigating such as the username, last logged on time or anything you think should be considered a basic/core technique that should be taught first.


Any other ideas or criticism welcome.  

- Gingiee

We are going to make a website / Interactive guide into computer forensics investigation, an introductory guide for new computer forensics students when it comes to doing things such as their first forensic investigation.

Why create a new one, why not re-use an existing one e.g. forensicswiki.org?

- Gingiee

The idea came about from the challenges we faced when doing the Nist computer hacking case questions because of the limited time we have , we have decided to focus on windows computers but if we have enough time we would love to expand onto other OS's and to more advanced forensics techniques. I was just wondering what are the most common things you find have to be found when it comes to investigating such as the username, last logged on time or anything you think should be considered a basic/core technique that should be taught first.

Any other ideas or criticism welcome.

Finding these pieces of information is highly dependent on the case you're dealing with. When new to computer forensic analysis it is important to know about systems, to get a feeling for them. So yes, building a knowledge base and maybe a step-by-step walk-through of simple cases can give you a good basis.

However in long term you'll notice that doing computer forensic analysis is much more about coming up with good investigative questions than finding these pieces of information. Since as soon as you determine how you can find a piece of information, you can automate this.

Now finding new pieces of information that's the hard part.  

- Gingiee

We are going to make a website / Interactive guide into computer forensics investigation, an introductory guide for new computer forensics students when it comes to doing things such as their first forensic investigation.

snip

- Gingiee

I was just wondering what are the most common things you find have to be found when it comes to investigating such as the username, last logged on time or anything you think should be considered a basic/core technique that should be taught first.

This is pretty much the reason why I posted about the Analysis Matrix:

windowsir.blogspot.com...atrix.html

By categorizing artifacts, an analyst does not have to remember specific things like what you've asked. By understanding the goals of the exam, what the analyst needs to determine, they can then map that information to the artifact categories, collect the "low hanging fruit", and get to analysis much faster.

The Forensic Scanner allows analysts to implement the Analysis Matrix, rather than having a checklist and an image, and a gap between implementing the checklist against the image:

windowsir.blogspot.com...anner.html