Hi,
I'm Lucy, I'm 20 years old and I'm starting my university year.
Anyway I wanted to ask some professionals for their opinion on a situation that was given to us by our teacher.
Context :
You have just been alerted by Megan, the executive secretary of the company "TTW: Travel the World". Megan tells you:
- She came back from vacation and noticed a strange behavior on her computer
- Doesn't know exactly how to explain the behavior that didn't happen again
- Not knowing exactly what she was doingYou are asked to find out what is happening on Megan's computer.
The memory and disk dumps have already been done by the teams on site according to the procedures you gave.
You will explain :
- Your 1st steps upon arrival on site - what do you do in first
How you collect the information (From whom? From which equipment? How? With which teams?)
- How you collect the evidence (papers, hardware, software,...) - How you guarantee the collection of information and evidence
- How you will analyze the evidence
- What are your conclusions (probable scenario, IOC, ...)
- What are your recommendations (hardware, software, human)
I started by writing this:
My first action when I arrived on site was to isolate the computer from all human and company network interaction. We must avoid corrupting the crime scene.
after that I don't know how to continue, I don't know what to do, if you have any ideas, opinions, procedure, methodology of a forensics investigator ?
Also,Â
I have to do a
Static analysis of memory dump and disk image
Dynamic analysis of memory dump and disk image
What the best tools for that ?