Changes in your ima...
 
Notifications
Clear all

Changes in your imaging & analysis practice

4 Posts
4 Users
0 Likes
440 Views
jpickens
(@jpickens)
Posts: 130
Estimable Member
Topic starter
 

For those that have been in DFIR for (lets say…) 5+ years now, I was thinking how much has really changed and what still is common in forensics for collection and analysis as far as technique, issues, methodology, etc… (tools aside).

For example over-the-wire forensics in an enterprise has really changed the approach with the growth of fiber or gigabit connectivity and processing speeds of endpoints. Because of this, not all cases require full-disk collections to be considered enough data for an investigation in a corporate setting. Often a logical acquisition may suffice (depending on the scenario, of course).

Was thinking about gathering some responses and hoping to identify what kind of changes (if any) really have grown in the DFIR approach as changes in software and technology happen. All this is assuming we follow current best practices.

 
Posted : 06/02/2017 8:02 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

I work corporate investigations/incidents.

Triage is key and we rarely pull the entire content over the wire. Usually pick and choose, or any file owned by a SID, some OS artifacts and so forth.

Even if we have the drive in hand, will rarely take full image.

 
Posted : 07/02/2017 1:48 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I suspect there will be a time in the near future when there will be more .VMDK than .DD (i've investigated two VMDKs), maby stuff like docker will show up too.

Acquisition will be very different and could focus on remote gathering of data may be necessary because of limitations of warrants or bandwidth, maby going from dumping processes to dumping entire virtual hosts/forcing snapshots.

Apart from that, the methods and tools will probably remain the same for a long time.

 
Posted : 07/02/2017 7:08 am
(@thefuf)
Posts: 262
Reputable Member
 

"Push the button" during acquisitions of mobile devices, because vendors of computer forensic tools begin to exploit vulnerabilities (for example, to enable physical extractions), and they don't disclose much detail about these exploits. So, in some situations an examiner doesn't know how exactly an acquisition method works.

 
Posted : 07/02/2017 2:28 pm
Share: