I would process the case like I do any other. I would start by looking for "low hanging fruit"; Desktop Items, Documents, link files (as signposts), index.dat's, and the like.
The main difference would be that I would probably constantly be reporting on any tidbit of possibly relevant data so that someone might act on it before the enemy nullifies it.
I would process the case like I do any other.
Me too. I'd work to to the instructions of the person/s who've requested I do the investigation.
I would determine how much of the disk is encrypted, then start on a plan.
No doubt much of what you want will be hidden in some form or another, so, you're handed drives from that compound, and told find me something.
What do you start off doing?
Ask the customer to *please* come up with a better project description than 'find something'. In the meantime, charge storage costs.
If I was responsible for the case?
Hire the top 20 Forensic Investigators, give them a copy of the data and make each work independently.
Once they have completed their analysis, then make them work together.
Then combine the 21 reports as the final analysis.
I would be delivering the coffee, tea, Jolt, doughnuts, pizza or Twinkies of course on a beckon.
mrgreen
Noone has asked the actual "basic" question .
Which OS was that PC running (choose one)
- Windows (XP, Vista or 7) 😯
- Linux roll
- OSX wink
jaclaz
Do you not look to establish that in all of your investigations jaclaz?
Isnt that a bit like saying that nobody has pointed out that you should clone the disk first.
Do you not look to establish that in all of your investigations jaclaz?
Isnt that a bit like saying that nobody has pointed out that you should clone the disk first.
I don't do investigations, sorry. (
(and I did state it was a "basic" question wink )
The original idea was to provoke a quick laugh with things like
Sure, Bill Gates is as Evil as the guy, no wonder, M$ OS was used!
Oh, I thought that only the good guys would use Linux….
Secluded terrorists tend to use Mac OSX because they cannot have Windows Update…
But still think that professional investigators might have more or less familiarity with a given OS over another.
Like (this is serious ! ), what if he used BeOS (or Haiku OS) or Open Solaris and it's ZFS?
How many can call themselves "familiar" with these? ?
What if there is a (closed source) Al-Qaeida OS (and/or crypted filesystem) noone knows anything about? ?
jaclaz
I will be posting a list of things and information of interest that could be looked for in the database, very shortly.
If you asked that you'd be dismissed from the case.
Not sure about you, but lots of people myself included are tasked with something very similiar, we don't know whats on the drive, but see what you can find.
No doubt much of what you want will be hidden in some form or another, so, you're handed drives from that compound, and told find me something.
What do you start off doing?
Ask the customer to *please* come up with a better project description than 'find something'. In the meantime, charge storage costs.