Freelancing as a Di...
 
Notifications
Clear all

Freelancing as a Digital Forensics Examiner

16 Posts
7 Users
2 Reactions
2,709 Views
(@nerimatrixx)
Eminent Member
Joined: 6 years ago
Posts: 26
Topic starter  

Hello Everyone,

We were given the following scenario:

Doe is a Digital Forensic Examiner from UK, he recently started offering DF services on a freelancing platform. Tesh is a Canadian soccer-mom that posted a project seeking help to find out who accessed her computer and deleted her files (recycle bin emptied). No file sharing is configured on the computer, and it's not connected to any other device in Tesh's home. Doe bid on the project and won.

Give suggestions on how Doe can ensure he gets a forensically-sound (does not alter any data) image of the computer. Tesh is willing to assist Doe in any way.

 

We are bursting our brains here, is this even possible? 😰 😰 😰 

 

 


   
Quote
(@Anonymous 6593)
Guest
Joined: 16 years ago
Posts: 1158
 

'We were given the following scenario' ... ?  Who are 'we', and who is the giver of this scenario? It sounds very much like some kind of class assignment, in which case it may easily be 'forensically and educationally unsound' to help.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 

I have always wondered (it must be something of anglo-saxon schools that often extends to - at least US - journalism) why meaningless details are given, and then NO direct question is made.

This:

Give suggestions on how Doe can ensure he gets a forensically-sound (does not alter any data) image of the computer. 

means:

How do you make a forensic sound image of a computer[1]?

To which the correct answer is:

Using properly a tool or set of tools aimed to create a forensic image of a computer.

Whether Doe is:
1) a UK citizen
2) a freelance that bid and won[2]

and whether Tesh is:

3) Canadian
4) a soccer-mom (whatever it means)

are totally irrelevant for the question.

About #5:

5) Tesh is willing to assist Doe in any way.

I would hope so, Tesh is the one that is forking from some good money by hiring Doe.

jaclaz

 

[1] most probably meaning a computer internal disk, as the only relevant detail, i.e. whether the computer ha been kept on and is still on (and thus a RAM image may be of use) is NOT provided

[2] IMHO even more relevant from an ethical/educational point of view is that IF Doe bid for the project  AND he needs suggestions on how to do the very basic first steps of what he bid for (and won) THEN he is an impostor (and NOT a Digital Forensics Examiner)

 


   
scoggnito reacted
ReplyQuote
(@nerimatrixx)
Eminent Member
Joined: 6 years ago
Posts: 26
Topic starter  
Posted by: @athulin

'We were given the following scenario' ... ?  Who are 'we', and who is the giver of this scenario? It sounds very much like some kind of class assignment, in which case it may easily be 'forensically and educationally unsound' to help.

If you are stating that its "forensically and educationally unsound to help" student, then every profession would be dead. Why would universities have books? Why would we need the internet?

 

It's not a class assignment, no marks will be awarded. 

We formed a group in year one, we would scout the internet for images files to examine, or to replicate a demo from an article. Why do we do this?...because universities don't teach everything.

One of our members is now a Teacher's Aide, she posed the scenario to us.

 


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 
Posted by: @nerimatrixx

One of our members is now a Teacher's Aide, she posed the scenario to us. 

Maybe then you could point her to this thread, so that she can see the critics and possibly take part to the discussion.

The ethical point about helping (or not helping) with (hypothetical) academic assignments is that generally speaking it is not a good thing to solve students problems, the whole point why their teacher or professor asks them is because he/she wants them to answer with what they know (possibly learned in class) and not with someone else's knowledge.

Now, specifically, once eliminated the trivia, the basic question remains:

How do you make a forensic sound image of a computer?

I doubt (I actually hope) that anyone that has studied more than - say - one month (or took the most basic training or course) in digital forensics cannot answer properly this question. 

Here the question may have a twist, *like* :

How would you instruct Tesh to make a forensic sound image of a computer?

or:

Which software, tools and/or hardware would you teach Tesh use to make a forensic sound image of a computer?

jaclaz


   
ReplyQuote
(@nerimatrixx)
Eminent Member
Joined: 6 years ago
Posts: 26
Topic starter  

@jaclaz

I believe the locations and 'soccer mom" were included to emphasize that onsite acquisition is not possible, and that the devices in Tesh's home have the average home-computer configurations, devices only have access to its own internal hard drive.

It is a fictional scenario, Doe already knows how he will be completing the task. The point is to give suggestions/alternative options to acquire the computer without changing its state.

We can assume that the computer has NOT been turned off, but was still in use. Both RAM and HDD should be acquired.


   
ReplyQuote
(@nerimatrixx)
Eminent Member
Joined: 6 years ago
Posts: 26
Topic starter  
Posted by: @jaclaz

How would you instruct Tesh to make a forensic sound image of a computer?

or:

Which software, tools and/or hardware would you teach Tesh use to make a forensic sound image of a computer?

That's it. The minute she installs anything on the computer means the evidence has been altered. A Prosecutor would FRY us for that.

We thought about guiding Tesh to remove the HDD, but that would be another challenge. Does she have the tools on hand, she would also require a SATA-USB cable (yes, we are assuming its a SATA HDD).


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 
Posted by: @nerimatrixx

That's it. The minute she installs anything on the computer means the evidence has been altered. A Prosecutor would FRY us for that.

We thought about guiding Tesh to remove the HDD, but that would be another challenge. Does she have the tools on hand, she would also require a SATA-USB cable (yes, we are assuming its a SATA HDD).

Sure, and that is where "forensic sound" boot disks (please read as CD/DVD and/or USB sticks) come handy.

Of course Tesh will need to have a CD/DVD disk drive in her PC and/or get access to another computer to create the bootable USB stick (and of course she will need one of such USB sticks, but nowadays they can be found almost anywhere), and she will need anyway to have a (large) USB disk to store the image.

For the record, a (hypothetical) prosecutor would fry you anyway, since here it is not the case of a missing link of the chain of custody, but actually the missing initial link, the image acquisition process. (for all you know Tesh could send you an image of *any* computer or fiddle with it before imaging it)

You (actually Tesh) should point a webcam to the PC and record 24/7 starting NOW what happens on the computer, who comes near it, etc. to have a simil-valid acquisition process.

But if it is expected that a prosecutor will be involved, then choosing an UK freelance expert from Canada is a flawed decision anyway.

The possibility of RAM acquisition (again running a program from an external device) depends of course on the OS that is running, the act of running this program (if possible) will anyway leave some artifacts but those can be documented.

jaclaz


   
ReplyQuote
(@Anonymous 6593)
Guest
Joined: 16 years ago
Posts: 1158
 
Posted by: @nerimatrixx

If you are stating that its "forensically and educationally unsound to help" student, then every profession would be dead.

I think you are missing the point.  I suspected that you were posting a class assignment, and evaluated the situation from that perspective.  While the 'assignment' may have appeared to be intended to give some kind of answer or list of ideas, ... it could just as well has been to get any students thinking for themselves, rather than go by text books, and any answers or ideas would be only uninteresting byproducts. Or it could have been as an evaluation of how well you had understood previous lessons and lecturer, and if you were able to apply that understanding.

In such situation, providing a reasonably correct answer generally stops any individual thinking flat, and so be counter-productive.  Giving an incorrect answer may be better because it may also start the thinking process.  It might also get you into trouble from providing a wrong answer taken from a public Internet forum. That's more useful than is generally accepted.  And in a diagnostic situation, it would be most unsound to try to help in any way.

You've already got this answer from other posters ... but as repetition is a valuable part of education I see little reason to withhold my reply.


   
ReplyQuote
(@trewmte)
Noble Member
Joined: 18 years ago
Posts: 1877
 
Posted by: @nerimatrixx

Give suggestions on how Doe can ensure he gets a forensically-sound (does not alter any data) image of the computer. Tesh is willing to assist Doe in any way.

Further to other replies in this post. If you haven't already done so, SWGDE publish Best Practice Guides that might help you e.g. for defining the digital footprints you undertook during examination and acquisition? Such as:

2018-04-25 SWGDE Best Practices for Computer Forensic Acquisitions
https://drive.google.com/file/d/1KeEI1DUkSE2DSPZyPFEFIGfzbZS3-zZC/view

There are more Guides here - https://www.swgde.org/documents/published


   
NeriMatrixx reacted
ReplyQuote
Page 1 / 2
Share: