±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Changes in your imaging & analysis practice

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Senior Member

Changes in your imaging & analysis practice

Post Posted: Feb 06, 17 21:02

For those that have been in DFIR for (lets say...) 5+ years now, I was thinking how much has really changed and what still is common in forensics for collection and analysis as far as technique, issues, methodology, etc... (tools aside).

For example: over-the-wire forensics in an enterprise has really changed the approach with the growth of fiber or gigabit connectivity and processing speeds of endpoints. Because of this, not all cases require full-disk collections to be considered enough data for an investigation in a corporate setting. Often a logical acquisition may suffice (depending on the scenario, of course).

Was thinking about gathering some responses and hoping to identify what kind of changes (if any) really have grown in the DFIR approach as changes in software and technology happen. All this is assuming we follow current best practices.  

Senior Member

Re: Changes in your imaging & analysis practice

Post Posted: Feb 07, 17 02:48

I work corporate investigations/incidents.

Triage is key and we rarely pull the entire content over the wire. Usually pick and choose, or any file owned by a SID, some OS artifacts and so forth.

Even if we have the drive in hand, will rarely take full image.
Don't get baited. 

Senior Member

Re: Changes in your imaging & analysis practice

Post Posted: Feb 07, 17 08:08

I suspect there will be a time in the near future when there will be more .VMDK than .DD (i've investigated two VMDKs), maby stuff like docker will show up too.

Acquisition will be very different and could focus on remote gathering of data may be necessary because of limitations of warrants or bandwidth, maby going from dumping processes to dumping entire virtual hosts/forcing snapshots.

Apart from that, the methods and tools will probably remain the same for a long time.  

Senior Member

Re: Changes in your imaging & analysis practice

Post Posted: Feb 07, 17 15:28

"Push the button" during acquisitions of mobile devices, because vendors of computer forensic tools begin to exploit vulnerabilities (for example, to enable physical extractions), and they don't disclose much detail about these exploits. So, in some situations an examiner doesn't know how exactly an acquisition method works.  

Page 1 of 1