Dear FF member, in my workplace there are several SOP, which until recently, some of them - let's just say it, I've been neglecting.
until now there is no problem whatsoever, but could you guys be so kind and point out if my way of doing things is wrong and I should've follow the SOP.
1. SOP make image of evidence on different HDD (new evidence means new HDD).
what I've been doing (WIBD) make 1 pristine copy of several image (of the same case) on one HDD and make another working copy in other HDD. (several evidence of the same case in one HDD). Everytime I make working copy, I always do md5sum comparison on target and source.
2. SOP put the evidence from point 1. on FRED, extract based on keyword or based on request of client (usually some other just request a full dump on allocated and carve the unallocated)
WIBD
extract unallocated from image (blkls image.001 > target.unalloc )and carve unallocated with (foremost -v -T -i target.unalloc).
and extract the rest (the allocated) using simple mounting or FTK imager.
I do it on my laptop, it took sometime in my laptop, but beats walking back and forth to the FRED, because it's in different building and not connected via LAN.
I've been doing this because more and more of client are asking me to dump everything, instead of keyword based search, so I thought this way is much faster and I don't have to go over to FRED so often.
I've never use blkls to dump the slack though, probably starting now I will also carve from slack.
question, as I said earlier, could you tell me if what I'm doing is wrong, and I should've follow the SOP.
edit it is not really SOP per se, not written in company SOP and all, it's just how work usually done here.
Dear jtingkir,
You've got us all confused here, There are SOPS on every process (i.e Aquisition, analysis, wiping , storage etc… )
It isnt clear what your question is however if you need to adopt some SOP that are well knowns for its practice then i would recommend The SOPS FROM
If you are willing to adopt any ISO' priciples into your enviournment in regards to computer forensics aquisition then i'de recommend ISO 27037
I hope this answers your question.
… could you guys be so kind and point out if my way of doing things is wrong and I should've follow the SOP.
The SOP, whatever it is (written or unwritten), is something your employer or department or whatever requires or expects you to follow, for reasons stated or unstated. Failure to follow it is also something that is handled by the same environment it may be left unsaid, or it may, for example, be clearly stated that repeated infractions are grounds for dismissal. We don't know; you should.
1. SOP make image of evidence on different HDD (new evidence means new HDD).
There are several reasons for doing so, but which apply in your case is something you will have to ask yourself or your own organization about.
One reason is to avoid having to hand over unrelated evidence to a second investigating instance. If you have images from CASE1 and CASE2 on a HDD, add an image from CASE3, and later discover that CASE3 contains contraband, say, IIOC, what now? In the general case you obviously will have to hand over any HDD that contains that material to LE. How does that affect your ability to work on CASE1 and CASE2? Have you broken contract clauses related to CASE1 or CASE2, say, something about keeping the material secret? How will that damage your company directly (in damages to CASE1 and CASE2 principals), and in the future (tainted reputation for sloppy evidence handling), and possibly event regarding your own credibility in other ongoing legal cases where you are involved?
You may not be waist deep in dung at the moment, but you appear to have taken a few steps closer to the sewage pool that anyone reasonably can wish.
2. SOP put the evidence from point 1. on FRED, extract based on keyword or based on request of client (usually some other just request a full dump on allocated and carve the unallocated)
… I do it on my laptop, it took sometime in my laptop, but beats walking back and forth to the FRED, because it's in different building and not connected via LAN.
And now you may have that contraband on your laptop, and will have to hand that over to LE as well. Does that affect your ability to conduct business related to other investigations you do? Does it have any other unwanted effects?
Your company probably wants to keep business risks under control; your failure to follow your SOPs may have impaired that. This is almost certainly an incident in your company that is, an unwanted event. Do you also do incident handling as part of your job? Risk identification, assessment, containment, mitigation, and everything else seems to be in order. How would you start that process?
Added Yes, I've been in this neighbourhood myself.
However, you are on your way to becoming an expert in computer forensics. A wise man once defined an expert as someone who have made all the mistakes and errors possible within his particular area of expertise. Best of luck with the mistakes you have yet to make.