I would start with a three step process of getting priorities for resource planning (runtime of server load) out of a triage of what key findings we search for, probability to find and risk to fail evidence. These three factors resume in combinations to feed the triage. After this allocation of people, engines and analysis software should be more easy.
I would start with a three step process of getting priorities for resource planning (runtime of server load) out of a triage of what key findings we search for, probability to find and risk to fail evidence. These three factors resume in combinations to feed the triage. After this allocation of people, engines and analysis software should be more easy.
If I get this right ? , the three steps/factors are
1) what key findings we search for
2) probability to find
3) risk to fail evidence
But HOW do you evaluate them? 😯
And with which metrics do you measure them?
And once you have correctly evaluated them, let's say they are
1) something very easy
2) very high
3) very low
What changes in the procedure when compared to (say)
1) something moderately difficult
2) average
3) probable
jaclaz
Hi all,
Let's assume you received hundreds of thousands of digital forensics materials. What would be your strategy? Would it be really different from your routine or you'd change your SOPs?
Regards
I have worked on several investigations where there is a large volume of digital devices and network based evidence has been involved.
This really is a wide open question because there are so many ways to offer theoretical or practical observations. This is because there are so many different interpretations and understanding of labels being given to standard operating procedures.
In civil investigation much as been said about the trio involved in small or large scale investigations
- collecting,
- analysing
- presenting digital evidence
However, what is actually meant by "collecting"? Are we to take it that collecting means extracting and harvesting data from a digital device or does it mean the ordinary word to bring or gather together? It adds further confusion if collecting actually means seizure, not only in the ordinary meaning of the word applied to it but also under (civil/criminal) legal constraints.
If we say collecting is supposed to mean seizure then why follow collecting (seizure) immediately with analysing? Where is the examination process?
What is clear is if your SOPs are based upon micro-to-small quantities of seized items then it is more unlikely those SOPs can be used for large scale investigation (so some routines will change) without change at least being reflected through modification to the existing SOPs or, which is highly possible creating new SOPs.
I agree with the comment above about triage being an important part. Indeed triage has one foot in the camp of "analysis".
Yes, if there is that much evidence, physical or digital, my first approach would be to design a way to build an effective evidence inventory and COC for all items in a database or similar matter. I would assume most teams/labs are not equipped for a task that large so this would be custom-built.
Do all the analysis you want, but if there's an issue w/ evidence tracking, you could be throwing away time, money and reputation.
from there, I have asked the counsel to prioritize analysis (with my input) then proceed from there.
oh.. and hire some folk to help out.