No doubt much of what you want will be hidden in some form or another, so, you're handed drives from that compound, and told find me something.
What do you start off doing?
(Please avoid all the depends on this or depends on that, whether I'm asked for this or whatever else, and just give what YOU would do if you're given the drives and the boss, officer, (whomever is in charge) gives you the green light to scour the drive)
I would start by finding someone that can interpret Arabic… 😉
I would start by not having any preconceptions (or making any assumptions, for that matter) with regards to what there may be or may not be in there.
Then I would make myself some frappe coffee, open up a new packet of ciggies, make sure my playlist's loaded, speakers on full, put my wizard hat and robe on (old IRC joke)….
Need I go on?
I'd imagine you'd need more than just someone who can do that, I think you'd be looking at up to 4 different languages, but probably mainly 2.
If you Mike happen to speak that language, what do you do then?
I would start by finding someone that can interpret Arabic… 😉
Sure, go on.
I would start by not having any preconceptions (or making any assumptions, for that matter) with regards to what there may be or may not be in there.
Then I would make myself some frappe coffee, open up a new packet of ciggies, make sure my playlist's loaded, speakers on full, put my wizard hat and robe on (old IRC joke)….
Need I go on?
Ok, I'll byte…
I would follow my own/company's/organisation's established protocol and deal with the case as I would deal with any other forensic cases that came my way and see where my investigation lead me to.
Are you in any way suggesting a different approach should be taken, and if so what would you change and in what way, keeping in mind we want to be objective, sensible and not be influenced by emotions?
PS The frappe coffee and ciggie are true in my case, though the rest should be construed as an attempt to crack a joke, here. -)
I'm only suggesting what I put in the OP and looking to hear what others take from that.
It could be that in your case you approach it the same as you do everything else. You process in the computer, you do evidence logs, and all related. Or maybe you feel that there are lives at stake from possible repercussions and that it will never see the light of a court, so you forgo formalities and as FTK says "Go straight into the case" Maybe from your own interests and reading/viewing you know that steg has been used before so pulling out this tool over that tool will help.
The answer is totally up to you and you can't have any points deducted.
Ok, I'll byte…
I would follow my own/company's/organisation's established protocol and deal with the case as I would deal with any other forensic cases that came my way and see where my investigation lead me to.
Are you in any way suggesting a different approach should be taken, and if so what would you change and in what way, keeping in mind we want to be objective, sensible and not be influenced by emotions?
PS The frappe coffee and ciggie are true in my case, though the rest should be construed as an attempt to crack a joke, here. -)
Assuming fingerprint/DNA has already been carried out, examine for any signs of physical dead-man traps.
Do you remember the old Jolly Rogers Cookbook?
Actually, The Register has a very interesting article on this topic.
One of the most interesting set of points in it is the following
"Given the deliberate isolation of the Bin Laden home from any form of electronic communication which might have been intercepted, the recovered computers are likely only to contain material coming in and out by courier on thumb drives or CDs."
The above could be one avenue for someone to pursue.
Given the reg's usual forthright attitude to CF and LE, I'm not really given to take their advice. They're normally quite wrong.
I'd do what I normally do, see what the aims of the investigation were, see what area I had been assigned to (because you know theres more than one examiner doing each device) and analyse it to the best of my abilities bearing in mind that I should be aware that this is a very high profile target and has probably employed at least some anti-forensic wizardry, if not an encase client side attack (yes, some versions are vulnerable).