I suggested the following list based on the guidance in Chapter 7 of
http//www.forensicfocus.com/index.php?name=Downloads&d_op=viewdownloaddetails&lid=4&title=Electronic%20Crime%20Scene%20Investigation%20A%20Guide%20for%20First%20Responders%20(pdf)
General Information
Databases
E-Mail/notes/letters
Financial/asset records
Medical records
Telephone recordsSpecific Information
Account data
Accounting/bookkeeping software
Address books
Backdrops
Biographies
Birth certificates
Calendar
Chat logs
Check, currency, and money order images
Check cashing cards
Cloning software
Configuration files
Counterfeit money
Credit card generators
Credit card numbers
Credit card reader/writer
Credit card skimmers
Customer database/records
Customer information/credit card data
Date and time stamps
Diaries
Digital cameras/software/images
Driver’s license
Drug recipes
Electronic money
Electronic signatures
Erased Internet documents
ESN/MIN pair records
Executable programs
False financial transaction forms
False identification
Fictitious court documents
Fictitious gift certificates
Fictitious loan documents
Fictitious sales receipts
Fictitious vehicle registrations
Games
Graphic editing and viewing software
History log
“How to phreak†manuals
Images
Images of signatures
Image files of software certificates
Image players
Internet activity logs
Internet browser history/cache files
IP address and user name
IRC chat logs
Legal documents and wills
Movie files
Online financial institution access software
Online orders and trading information
Prescription form images
Records/documents of “testimonialsâ€
Scanners/scanned signatures
Serial numbers
Social security cards
Software cracking information and utilities
Source code
Sports betting statistics
Stock transfer documents
System files and file slack
Temporary Internet files
User names
User-created directory and file names that classify copyrighted software
User-created directory and file names that classify images
Vehicle insurance and transfer documentation
Victim background research
Web activity at forgery sites
Web page advertising
It seems to me to be a strange mix of detail and higher level subjects … What are opinions on this list ? Are there things that shouldn't be there ? Or are there things missing that should ?
Feedback please -)
That's some list, I agree it is a strange mix.
I wonder if we should discuss the creation of some surveys to be posted at various forensics forums.
Case types
Tool Capabilities
Qualifications/Education
etc
That's a really interesting idea - which forums ( other than this one ) would you suggest ?
A list of responsive and cooperative lists that I have used for a survey include
International Society of Forensic Computer Examiners (ISFCE)
International Association of Computer Investigative Specialists (IACIS)
FBI Director of Regional Computer Forensic Laboratories (RCFL)
High Tech Crime Consortium (HTCC)
Computer Forensic Investigators Digest (CFID)
If we generate multiple survey’s, I’d suggest getting all the survey instruments in place and then ask for participation once.
As to the list, I actually think it is a good list of jobs that must be done. For each job, we need to identify the tasks that are required to complete the job. There are a lot of overlap of tasks for each of the listed jobs. A common one obviously would be acquisition of the evidence using some given tool. Another would be Examine Browser History and Scalp/carve data from unallocated space and so on. If you can examine browser history for “How to phreak†manuals your can examine browser history for searching for “Movie filesâ€.
I believe we’d be well served by taking advantage of the commonalities in tasks between each job. Of course, each job has specifics that are unique to that job, and also need to be identified.
Thoughts?
That is a good list … I really should try to get into some of those -P
Do you think that it would be good to host one survey on a site somewhere and then send a link to it to all of the lists ? Do we really want to do multiple surveys ? I would have thought that one comprehensive survey would be more beneficial, however there is obviously an attention span issue the longer ( and more useful to us … ) the survey …
Sure, one survey. I'd like to see it scrubbed well one person will pick up things that another won't. Depending on what we need for results there are some free places that will host surveys.
First -Off, I think this is a worth-while project - even though I been observing from the stands.
This observation my seem trivial to some! Since this project is about documenting an Forensic Methodology, I find the topic of Reports and Documentation strangely absent. I personally feel standards for Computer and Digital Forensic Reports and the supporting documentation would be extremely beneficial to the field in general.
I think this would be more beneficial than discussing all the facets of whether to pull the plug or not!
So, I'm on the official record, if one exists! I'm a plug puller, after all the pertinent relative information has been obtained!
First -Off, I think this is a worth-while project - even though I been observing from the stands.
D
This observation my seem trivial to some! Since this project is about documenting an Forensic Methodology, I find the topic of Reports and Documentation strangely absent. I personally feel standards for Computer and Digital Forensic Reports and the supporting documentation would be extremely beneficial to the field in general.
Ha … Not at all, this was infact the reason that I started the concept - I was looking for a reporting standard akin to that in the OSSTMM, and it expanded from there.
The nice thing about the OSSTMM is that if you follow the entire thing from start to finish, and carry out all of the test areas, then all of the report is completed and comprehensive. That was kind of what I envisaged, that someone could pick up DECAF and go through it completing the tests or ignoring them - but at least making a concious decision - and then it could be reported as ( in loose terms )
"I followed DECAF guidelines, I found evidence according to Sections 1,5,7 and 9. The other sections either provided no evidence or were irrelevant to the case. Therefore I have completed a thorough investigation according to best practice. My results for the mentioned sections are as follows … "
I want to ensure that any examiner, no matter how green, can work within the framework on his/her case and be assured that they will have done a "Best Practice" job of it …
I think this would be more beneficial than discussing all the facets of whether to pull the plug or not!
So, I'm on the official record, if one exists! I'm a plug puller, after all the pertinent relative information has been obtained!
oops Point taken.
From discussion here, elsewhere and feedback it seems to stand as follows
There are 4 ( four ) major sections
1) Acquisition
2) Examiniation
3) Reporting and Court Presentation
4) Ethics and Legal Considerations
Obviously these each break down substantially. So (1) should include both "Live" and "Dead" guidelines and guidlines on making the choice as to which to use. (2) includes the Topics list above & more … (3) includes sample templates and (4) suggests an Ethical standard that we should all uphold, similar to that in the OSSTMM or perhaps the (ISC)2 code of ethics.
So, less observing from the stands please -)
How do you currently write up your reports ? What have you seen in reports that you have read that you consider worthwhile, and conversely, what is a waste of electrons/paper ?
I am new to this field and hope I am not talking out of turn. But I wonder if reverse engineering, so to speak, different types of reports/cases (e.g. Intellectual Property Theft Examination, Network Attack Examination, CP Examination, Cellphone Usage Examination, etc.) would be helpful in "shaking out" the framework content–all of the planning, procedures, pitfalls, techniques, and tools in each specific type of examination–all that would flesh out DECAF.
I can envision myself receiving an assignment from a client and consulting the Framework's Table of Contents, searching for "A Case of Data Theft from Employer" chapter or "A Case of Cellphone Fraud" chapter or "A Case of Embezzlement" chapter to find corresponding guidelines or "Best Practices" (i.e. Framework) for handling that type of case from start to finish. Then, I would tailor the topic-specific generic framework to my specific scenario.
Since this is a rather ominous and pervasive project, the DECAF project manager could parse out each topic (type of case) to those individuals that possess the specific expertise/experience to create a corresponding generic framework for each topic/type of case.
Any thoughts on this?
===============================================
As one frog said to the other "My how fun time is when you're having flies…" mrgreen
I am new to this field and hope I am not talking out of turn.
Of course not. All input is more than welcome !
But I wonder if reverse engineering, so to speak, different types of reports/cases (e.g. Intellectual Property Theft Examination, Network Attack Examination, CP Examination, Cellphone Usage Examination, etc.) would be helpful in "shaking out" the framework content–all of the planning, procedures, pitfalls, techniques, and tools in each specific type of examination–all that would flesh out DECAF.
I can envision myself receiving an assignment from a client and consulting the Framework's Table of Contents, searching for "A Case of Data Theft from Employer" chapter or "A Case of Cellphone Fraud" chapter or "A Case of Embezzlement" chapter to find corresponding guidelines or "Best Practices" (i.e. Framework) for handling that type of case from start to finish. Then, I would tailor the topic-specific generic framework to my specific scenario.
I agree with this in a large part, although I think that as so many of the tasks are common between each of the different case scenarios, that a table cross referencing the relevant sections within the remainder of the document, kind of like an uber-index. This would avoid needless repetition, and also improve consistency.
Since this is a rather ominous and pervasive project, the DECAF project manager could parse out each topic (type of case) to those individuals that possess the specific expertise/experience to create a corresponding generic framework for each topic/type of case.
I think that perhaps farming out each area of expertise to the relevant person would be wise, although to do this would require perhaps a better knowledge of all of the individuals involved who have put their names forward so far … In some cases all I have is a name and a pledge of support ! I do have access to a Project Manager who has agreed to deal with this on a professional level, and I am bringing her up to speed - amongst her other commitments.