±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35868
New Yesterday: 0 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Strategy for a massive investigation

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

RolfGutmann
Senior Member
 

Re: Strategy for a massive investigation

Post Posted: Sep 24, 16 23:36

I would start with a three step process of getting priorities for resource planning (runtime of server load) out of a triage of what key findings we search for, probability to find and risk to fail evidence. These three factors resume in combinations to feed the triage. After this allocation of people, engines and analysis software should be more easy.  
 
  

jaclaz
Senior Member
 

Re: Strategy for a massive investigation

Post Posted: Sep 25, 16 00:18

- RolfGutmann
I would start with a three step process of getting priorities for resource planning (runtime of server load) out of a triage of what key findings we search for, probability to find and risk to fail evidence. These three factors resume in combinations to feed the triage. After this allocation of people, engines and analysis software should be more easy.


If I get this right Confused , the three steps/factors are:
1) what key findings we search for
2) probability to find
3) risk to fail evidence

But HOW do you evaluate them? Shocked
And with which metrics do you measure them?

And once you have correctly evaluated them, let's say they are:
1) something very easy
2) very high
3) very low

What changes in the procedure when compared to (say):
1) something moderately difficult
2) average
3) probable

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

trewmte
Senior Member
 

Re: Strategy for a massive investigation

Post Posted: Sep 25, 16 14:01

- calimelo
Hi all,

Let's assume you received hundreds of thousands of digital forensics materials. What would be your strategy? Would it be really different from your routine or you'd change your SOPs?

Regards


I have worked on several investigations where there is a large volume of digital devices and network based evidence has been involved.

This really is a wide open question because there are so many ways to offer theoretical or practical observations. This is because there are so many different interpretations and understanding of labels being given to standard operating procedures.

In civil investigation much as been said about the trio involved in small or large scale investigations:

- collecting,
- analysing
- presenting digital evidence

However, what is actually meant by "collecting"? Are we to take it that collecting means extracting and harvesting data from a digital device or does it mean the ordinary word to bring or gather together? It adds further confusion if collecting actually means seizure, not only in the ordinary meaning of the word applied to it but also under (civil/criminal) legal constraints.

If we say collecting is supposed to mean seizure then why follow collecting (seizure) immediately with analysing? Where is the examination process?

What is clear is if your SOPs are based upon micro-to-small quantities of seized items then it is more unlikely those SOPs can be used for large scale investigation (so some routines will change) without change at least being reflected through modification to the existing SOPs or, which is highly possible creating new SOPs.

I agree with the comment above about triage being an important part. Indeed triage has one foot in the camp of "analysis".
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

jpickens
Senior Member
 

Re: Strategy for a massive investigation

Post Posted: Sep 26, 16 18:31

Yes, if there is that much evidence, physical or digital, my first approach would be to design a way to build an effective evidence inventory and COC for all items in a database or similar matter. I would assume most teams/labs are not equipped for a task that large so this would be custom-built.

Do all the analysis you want, but if there's an issue w/ evidence tracking, you could be throwing away time, money and reputation.

from there, I have asked the counsel to prioritize analysis (with my input) then proceed from there.

oh.. and hire some folk to help out.  
 

Page 1 of 1