install an image from target HDD and run it in VMware, perhaps check to see for material from websites and analyse any google map entires etc if there are any to check?
Not sure about you, but lots of people myself included are tasked with something very similiar, we don't know whats on the drive, but see what you can find.
And is that really as vague as I find it? Probably not – I suspect you can make a list of the 'somethings' you would looking for, and even the order in which you would be looking for it. Now, I won't do that – it is the customer who tells me what they want me to search for. I can and will make suggestions, but they have to be agreed on before I start.
I've had sufficiently many cases where the customer thought there was something suspicious on the computer, but can't/won't express it (usually they are afraid of CP, but it's not really a suspicion – which would make it a LE case, –, merely a worst case projection, but they don't really want to put it into words), and ask me if there is 'something suspicious'. I don't go into that kind of engagement anymore unless I have an agreed on a list of questions that should be answered (and that can be answered!), and a rough time schedule or other cost limit. It usually ended up that whatever I find is not what the customer wanted me to find or feared I might find, so there had to be a repeat with better objectives than the first time – which is a waste of time, resources and effort.
I've simply learned to get those objectives and other pertinent information up front rather than at the end. Particularly with a first-time customer.
I would make multiple copies/images of every item and drive in the pile. At least 3 of each, but possibly more.
True, it would get cumbersome. But, given the inherent possibility of error under even the most ideal circumstances, the scope of the project, and the possible consequences of a mistake, it would be well worth it.
After that, I would be firmly in the "start looking and see what I can see" camp.
Dom
-should probably get back to finals prep.
It is that vague when you work in-house.
Not sure about you, but lots of people myself included are tasked with something very similiar, we don't know whats on the drive, but see what you can find.
And is that really as vague as I find it? Probably not – I suspect you can make a list of the 'somethings' you would looking for, and even the order in which you would be looking for it. Now, I won't do that – it is the customer who tells me what they want me to search for. I can and will make suggestions, but they have to be agreed on before I start.
I've had sufficiently many cases where the customer thought there was something suspicious on the computer, but can't/won't express it (usually they are afraid of CP, but it's not really a suspicion – which would make it a LE case, –, merely a worst case projection, but they don't really want to put it into words), and ask me if there is 'something suspicious'. I don't go into that kind of engagement anymore unless I have an agreed on a list of questions that should be answered (and that can be answered!), and a rough time schedule or other cost limit. It usually ended up that whatever I find is not what the customer wanted me to find or feared I might find, so there had to be a repeat with better objectives than the first time – which is a waste of time, resources and effort.
I've simply learned to get those objectives and other pertinent information up front rather than at the end. Particularly with a first-time customer.
I concur with jhup. It is that vague. Door Kickers don't tell you how to do your job. They just tell you media capture circumstances.
Just hope you can get the media before it goes to the print labs(they will ruin your cd's) , image everything, make backups, then start your forensic exam.
how many people here assume these bad guys use high level security measures?
I would expect very high level security, with very safe passwords.
There's a difference between forensics for LE and forensics for intelligence sake. LE needs evidence, so they can convict. Intel organizations don't need evidence (its a nice to have), but can get very excited about findings that suggest something.
I'd be sure to let the forensic team communicate with the rest (caseworkers, analysts, etc) as often as possible, btw. And vice versa. (and no, that's not normal in most cases..).
- Roland
If you asked that you'd be dismissed from the case.
Not sure about you, but lots of people myself included are tasked with something very similiar, we don't know whats on the drive, but see what you can find.
<snip>
how many people here assume these bad guys use high level security measures?
</snip>
That is exactly what i was thinking when i first read about what they took from the compound….i would be very surprised if they did not use high level security and i would expect it to be implemented very well.
I do not know…
Physical security is much more known and used than computer security.
That is because it is tangible, and everyone can understand it. Burning one's trash makes sense. One can have things in there to read; it is obvious. Burning most of the time obliterates that reading material.
But, deleting files is … deleting, isn't it? What is "encryption"?
Furthermore, why did they decide that burning the trash is the best solution? I am thinking printouts. Lots of them; and incoming too. Which in turn implies less tech savvy too.
It is also suggested in reports that there was no Internet connection (although a cell phone tethered, or satellite link would work), which further suggest less tech savvy or tech friendly.
?
<snip>
how many people here assume these bad guys use high level security measures?
</snip>That is exactly what i was thinking when i first read about what they took from the compound….i would be very surprised if they did not use high level security and i would expect it to be implemented very well.
I do not know…
It is also suggested in reports that there was no Internet connection (although a cell phone tethered, or satellite link would work), which further suggest less tech savvy or tech friendly.
?
I'm not sure I'd concur with that assessment more probably they wanted to avoid interception of communications. I guess that's pretty tricky when you're America's Most Wanted sure, you could use an encrypted satellite link, but I presume doing that from an area where a high value target is suspected to be hiding would be like painting a target on yourself.
I'd also be quite surprised if unencrypted media was used, but then again when you've got the full resources of the US government at your disposal you've got a better chance than most of us of finding a way round it. Perhaps in any case I'm overestimating the technical sophistication of these guys…