±Partners and Sponsors
New Today: 7
New Yesterday: 7
±Follow Forensic Focus
· Webmail Forensics – Digging deeper into Browsers and Mobile Applications
· Operation Endeavour: The Tip of the Iceberg?
· Forensic analysis of the ESE database in Internet Explorer 10
· WhatsApp – discovering timestamps of deleted messages
· Man In The Middle Attack: Forensics
· Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases
· Windows 8 File History Analysis
· Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection
· Bitcoin Forensics Part II: The Secret Web Strikes Back
Reflections on a first computer forensic investigationBack to top Back to main Skip to menu
Reflections on a first computer forensic investigation
I was in my last semester of an AAS degree in Computer Forensics when I started my mandatory internship. After locating, interviewing and being accepted, I was assigned to the engineering pool of a local IT solutions company and began my training by conducting vulnerability scanning using NESSUS. As I neared the end of my 90 hour internship, I approached my manager and requested the opportunity to conduct a forensic investigation of a company computer. As luck would have it, the company had just gone through a small round of layoffs and in the manager's office were several laptops which had been turned in by the departing employees. I was handed one at random and set off to begin my first "real world" investigation. Before I began, I was given a few directives which were the beginning of many pitfalls in this soon-to-be brief investigation. The first instruction I was given was to boot the suspect computer to the administrator account and retrieve all software product keys, "just in case" as there was no hard copy record of these. The second was to keep the user name and company name confidential in any report I generated. As an overanxious, fledgling investigator, I immediately jumped feet first into the process. As you can see, I have already made several mistakes. I let management dictate investigative procedures and I did not properly assess and plan my investigation.
As you can see there was a significant amount of changes to the suspect drive: multiple times booting to the admin account, attaching a USB thumbdrive, and assigning a static IP configuration. I knew at this time I was long overdue in capturing an image of the hard drive. I was able to locate a 150GB external USB drive to use as a destination drive. The problem was I had never used HELIX to obtain an image before. It took a few tries to get it to work, first I had to learn the commands to mount the USB drive as Read/Write and second was learning to use the version of AIR on the HELIX CD to acquire the image. I successfully hashed the suspect hard drive and verified it to the acquired image.
Now, how was I going to examine a 40GB drive with a demo version of FTK? I decided that I would export folders and examine them individually as separate cases in FTK. I used FTK Imager to open the acquired image and export the following folders in the primary user's profile:
- A subfolder of the Favorites folder (named STUFF)
- A deleted Desktop folder named OTHER
- My Documents
A case was started in FTK for each of the above folders, most of which exceeded the 5000 file limit, but as I started reviewing the images, documents, and cookies, I got a pretty good idea how the user was spending his time on the Internet. Most of what I found was pornography. But it was when I examined the contents of the deleted Desktop folder, that I got the information that would change the course of the investigation and make me wish I had done things differently. The deleted folder contained over 200 sexually explicit stories, 83 of which were tagged by the author as either pedophile or extreme pedophile. There were also dozens of CP images that accompanied these stories.
I stopped my investigation and began putting together report to present to the manager. He contacted the CIO of the company who in turn contacted the corporate attorney. It was at this point that the FBI was called in and all evidence was turned over to them. The Special Agent was impressed with the tools I used and the documentation I presented. Despite this, I spent the next few days reflecting upon my actions and revising my methodology. I broke quite a few rules of forensic investigation. Such as: do not alter the data, keep meticulous documentation and have the right tools (and know how to use them). I made a list of the good and bad:
- Not assessing the case before starting
- Letting management dictate the course of the investigation
- Not having the proper tools/equipment and knowing how to use them
- Not treating every investigation as if it were going to court
- Not documenting EVERY step
- Not testing my methodology
- Knowing when to ask for help - i.e. asking a Linux weenie for help with Linux commands
- Knowing when to stop the investigation
- Having a methodology
- Keeping notes
- Learn from my experiences
I continue to collect, use and validate forensic tools. I am now using a licensed copy of UTK and have obtained several RAW images and am experimenting on them, and revising my methodology as I go. I have also put together a team for the DC3 Challenge. I hope this was helpful to some of the other newbies out there. I can be contacted with any questions/coments at firstname.lastname@example.org.