I am curious, as a computer forensics expert when you are examining a case do you document all the files on the media even if you determine they are not part of the case (e.g. Joe Who gives you a CD looking for pornography, there are 1000 files on the CD 12 of which were determined after looking through them, to be pornographic images and the rest a mix of documents, DLL files, Batch files and other system files)
In your written report would you document each one of these although you know they are not part of the case or would you just include a file listing in the examining software's report (e.g. FTK).
I have been doing a number of practice cases and the amount of time that goes into documenting none case related files can be quite extensive. What I have been doing is creating the image of the media and then going through the files documenting them (e.g. what are they, when were they created/modified are they password protected and if they are an archive what do they contain) before I get into the actual content of the files, this way I have a solid base of what I am working with and then going back over the files to see what they contain.
I am just trying to get a feel of what a seasoned expert does in live cases.
From my experience in report writing for assignments, I include a list of ALL evidence files and an SHA1 sum for each file.
Using the NIST list of known files, you can exclude known application and system files. This process will narrow the scope of your investigation alot. I do not report on non-relevent files as this would be both time consuming and irrelevent.
You want to do your sums to verify the integrity of the excluded files.
Michael,
Thank you for your responce, what forensics tool are you using (FTK, EnCase etc.)
I see you are a fellow Canadian. Flemming, I know where you are
Well met Techmerlin. Yes, I am using FTK at the moment. My fall curriculum will have me using more linux based tools though. Most likely, although not confirmed, I will be using the Helix suite.
I am anxious to use more automated tools. In the beginning of my studies, all recovery and analysis was done manually. I had to rebuild FAT tables and manually link clusters to get the data. Sometimes a file headers were intentionally missing, or switched with the file footer, so you would need to identify the proper file header and edit the hex to allow the file to be read again.
After assignments with up to 5000 files, I was glad to use FTK. Hopefully, the linux tools will be as versitile.
Michael,
Are you doing the onsite or long distance training at Fleming. I heard their studies are good. I was scheduled to take that course but ended up at a different training institute.
I'm taking my courses on campus. The labs are outfitted with everything you need to do pen-testing, IDS, IPS, Firewalls, Forensics, etc.. It's about an hour and a quarter travel time each day for me, but well worth it!
Techmerlin,
In real world cases you are often balancing 'complete' reporting against providing useful evidence for the legal team to use. Often when using FTK I allow the software to create the database of files and sometimes a complete directory list aswell, you will find those options in the Report Wizard. However although I use the Bookmark function to highlight key files I always write a plain english report that can be understood by an Attorney or Jury.
The 'complete' report from FTK including the case log can be used by the opposition to check my methods etc but in my experience is hardly ever looked at. Focus on two areas. 1st complete reporting of the case and the methods used, generally use software to achieve this (Imagine annotating every file in my last case with 800gig of data!) and then work hard on writing overview reports that explain the evidence clearly in language a jury will understand.
Cheers
Nick