Can I get all of you to append to this?
Maybe better wording, or "generalization"?
I think that I have two issues with this.
First, it presumes that you'll have unrestricted access to the medium. I, for one, have had a judge restrict access to specific kinds of operations and have had to provide justification for each of them. Some of these steps would not have been allowed in certain investigations. That makes me reluctant to suggest that all should be part of a standard procedure.
Second, the list is very specific for EnCase, which may not be a bad thing (given the Subject, but then maybe the Subject is).
But I think that there should be some abstraction from Encase specific functions (and names), toward general objectives. For example, "Run Partition Finder" could be generalized to state "look for evidence that media had or had not been reformatted". In this way, it doesn't look as though the process were wedded to (and dependent upon) EnCase functionality and was, instead, dictated by the need to establish the parameters of the subject media.
You wouldn't want your investigative procedure to be dictated by the capabilities (and limitations) of the tool that you possessed.
Guideline… as in guide, not necessarily force into…
workflow… as in flow, including flow around, above, and under obstacles and variations.
I hope no one takes this list as set in stone, this is the only way.
It can be an excellent starting point for beginners on the other hand.
I just thought we can help out with the simpler workflow guideline. I have had quite a few people ask how do I do this or that, and if I could give them a general guideline.
Yes, there are presumptions, and variations, etc.
We can have a meeting about the meeting to discuss the meeting, or … start here.
Greetings,
It is amazing how far discussions can diverge from the original starting point. Tip of the hat to jhup for remembering where I started with this, and understanding that the words were selected with some care.
I think it would be rather hard to write up more generalized guidelines due to the incredible variety of cases that come our way. I think you could certainly make the guidelines tool agnostic, and there's some real benefit in doing so.
-David
Guideline… as in guide, not necessarily force into…
Don't be so sensitive. There is a difference between what we would wish to be able to do and what we would be permitted to do. I was merely suggesting that in today's age of privacy concerns, you need to be able to justify why you want to look at specific things. The idea that you have unlimited access to the media is, in my experience, becoming antiquated.
So, rather than a simple guideline, I was suggesting (again, based upon my experiences with the courts), that you need to formulate what it is that you wish to examine and why it is important, as opposed to saying "run A then run B".
I have mentioned, before, that jurists are increasinly influenced by the recommendations of the Sedona Conference working groups and that these groups tend to take a more rigid view of what defines privacy.
As I have, professionally, been subjected to discovery motion challenges on the basis of Sedona Conference Working Group recommendations, my "contribution" to this discussion is that for each step you need to provide a justification for why such a step is a necessary component of your investigation and why it isn't an invasion of privacy. If you haven't encountered this (in the US), I humbly suggest that you will.
Eh, I am not sensitive. Alligators have Nivea slathered skin compared to mine. lol I work with people whose primary language is not English, so definitions & clarification are always helpful.
… my "contribution" to this discussion is that for each step you need to provide a justification for why such a step is a necessary component of your investigation and why it isn't an invasion of privacy. …
An excellent suggestion seanmcl. Care to further expand your contribution, and make those justifications? wink
Can you share some additional details from the Sedona Conference Working Group regarding these?
An excellent suggestion seanmcl. Care to further expand your contribution, and make those justifications? wink
Can you share some additional details from the Sedona Conference Working Group regarding these?
Sure.
First the Sedona Group is principally concerned with a uniform interpretation of the Federal Rules of Civil Procedure recognizing that varying interpretations have led to conflicting rulings in different jurisdiction. Situations like these lead to forum shopping as well as uncertain outcomes based upon the jurisdiction in which the case is heard.
Among the issues that arise out of the latest revisions to the FRCP are the issues of hardship to the producing party, as well as production requests which are overly broad.
In the area of hardship and ESI, there seems to be a move toward those files which are readily accessible. Some courts have, for example, excluded backup tapes from discovery as the contents of these are not readily available. The same has applied to data store in unallocated space.
Hardship can also apply to the cost to recover the information as well as the potential injury to the producting party, such as might occur if devices needed to be seized or shutdown or the producing party alleges than there are irrelevant trade secrets which might be revealed during a forensic examination.
Another issue is that of privacy and the expectation of privacy. In some cases the courts have ruled that making a forensic copy of an individual's computer violates the user's expectation of privacy (including a famous case where someone found CP on a computer that had been discarded by the landlord which had belonged to an evicted tenant). In these cases, the court may permit a limited examination restricted to the logical rather than physical volumes or it may exclude the forensic evidence altogether.
There is also the notion of the "one bite of the apple" rule, which is that the requesting party gets one shot at formulating a discovery request and can't go back at another time. So, you don't go for the low hanging fruit with the "readily available" data and then, on the basis of that, go back and ask for a forensic examination (unless you can show that the producing party likely deliberately hid discoverable ESI from view).
The convergence of all of these seems to be heading toward a point where doing a complete forensic analysis of the subject media is an exception rather than the rule.
In part, the notion of a boilerplate for, say, Encase plays right into the privacy concerns to which I alluded. To say that "in every case I do A then B then C" without justification for those steps creates the impression of using a shotgun to kill a mosquito.
There can be an exception, however. If the data are needed to establish the authenticity or authorship of the documents, then it may be requested and allowed. If the information from registry analysis, Internet history, scanning of unallocated space, etc., can be shown to be relevant, the courts are more likely to allow it or at least a less restrictive analysis.
The importance, however, is not simply to say that I did it because I could, but to be able to state the reasons why examining some aspect of the computer was necessary to establish the facts of the case.
The Sedona Conference is, after all, somewhat tilted in favor of the likely producing parties, which is why they are advocates for limiting ESI production requests. But some of the participants recognize that someday they will likely be plaintiffs so they aren't for completely curtailing the use of forensics in eDiscovery.
They simply want to be sure that digital forensics is not being used to create hardship or threaten the rights of their clients to privacy and the protection of their intellectual property or as part of a fishing expedition for the purposes of finding something actionable.
Very cool write up! Thank you.
Although I understand how they are relevant in cases, I think the point of a guideline still stands.
Maybe we can name it even looser to prevent misunderstanding, but it is up to David, as it is his thread. (Did you like how "palmed it off"? twisted )
Much of the ESI activity I do is 'preventative' or pre-emptive. For example we are looking at implementing automagic holding of ESI for 60 days after separation. As you can see something like that would be an internal issue.
Interestingly I have a meeting with our legal team tomorrow just about something relating to "one bite of the apple" rule. I did not know it was called that, but the idea of the meeting is discussing my proposal of a "laundry list". It would allow our legal team to present the opposing side with the list, costs and time frames associated when demanded.
Obviously there are many issues to develop and work out, I still think having a … clue list? … would be highly beneficial.
I clearly recall 4 years ago (mid '07?) (different alias) we talked about this with jamie, Azrael, and others. It was called Open Forensic Methodology. I had to drop out of the group, but I was in there. (I wonder whatever happened to it…)
This was the draft outline from that discussion
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1737
The aim of this project is to create a document or set of documents that
* Encapsulate the key steps required in order to perform a "best practice" digital forensic examination on an item of physical evidence this should cover, but not be restricted to
o obtaining images of assorted hardware devices - disk, solid state devices, RAID etc.
o examining partition layout - partition tables, HPAs, partition types etc.
o examining file system artifacts - deleted files, alternate data streams, file date/time information
o encryption - best practice for finding and breaking encryption and stenography
o guidelines for the examination process - contemp note taking, evidence handling, checksums etc.
o examining application artifacts, to be broken down further into
+ Web browsers
+ Instant messenger & chat
+ Databases
+ etc.
o Data carving
o Keyword skills
o Reporting - formats, wordings, guidelines etc.And maybe additionally, include
* Codes of practice/ethics
* Billing/Contract guidelines/examples
* Exact method guidlines
* Legal guidelines with regard to key legal entities within certain jursitictions - e.g. Data Protection Act UK, Computer Misuse Act UK etc.
* Checklists
1. Create case - Ensure that you have all relevant information - custodians, clients, case name, etc.
2. Add evidence - E01, LEFs, loose files, etc.
3. Confirm disk geometry, sector count, partitions.
4. Run Partition Finder if indicated
5. Run Recover Deleted Folders
6. Search case - hash and signature analysis
7. Run File Mounter - recursive, not persistent, create LEF, add LEF to case
8. Run Case Processor -> File Finder. Export results, add back in as LEF.
9. Search case - hash and signature analysis
10. Search for encrypted or protected files. Address as appropriate.
11. Extract registry hives
12. Index case.
Between 4 and 5 above, I would suggest viewing the timezone settings within the evidence and setting EnCase accordingly, otherwise your timestamps as displayed by EnCase could be out by 'x' number of hours.
Greetings,
Hey, I don't own the thread, information, concept, etc et al. This has been very informative for me. No palming it back off on me 'til next week ….
-David