Notifications

Clear all

What is "forensically sound"?

keydet89 · 2005-10-17T23:30:51Z

What constitutes a "forensically sound" process?Let's begin from a common starting point…a live Windows system that cannot be taken down. Generally speaking, what constitutes a "forensically sound" process for collecting data from that system? Then, how would you go about doing so?As responses begin to come in, I'll present my views, so that others can critique/discuss them.H. Carvey"Windows Forensics and Incident Recovery"www.windows-ir.comwindowsir.blogspot.com

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by yey365 20 years ago

12 Posts

9 Users

0 Reactions

2,189 Views

RSS

mark777

(@mark777)

Estimable Member

Joined: 21 years ago

Posts: 101

03/12/2005 12:19 am

With the default encryption and security methods proposed for the Microsoft Longhorm system that will no doubt be with us shortly it is a good question to put as it would appear that if, like now, we "pull the plug" on a running system the data it contains will most likely be unretirevable. It would seem that it will be likely that these will have to be examined in a running state.

Personally "forensically sound" to me is an assessment of the situation, the reaching of reasonable and justifiable conclusions in respect of that situation and the carrying out of whatever processes are neccessary to retrieve the data in the best possible way.

All of the above must be fully recorded with the reasoning behind them and hopefully at the end of the day you do what you think is best for all the right reasons and the courts and other side agree with you.

ReplyQuote

yey365

(@yey365)

Active Member

Joined: 20 years ago

Posts: 7

03/12/2005 7:08 pm

Hi guys.

Here goes with my two-pence-worth

I would utilise my current toolkit to conduct a live collect on the network against the mac or IP address of the target system in order to ascertain whether the "stolen" data is traversing the network, either originating or going to the suspect system. The collect will also identify whether the web server has been compromised as malware will be identified during this process. If the collect generates sufficient reasonable grounds to suspect the individual(s) using the suspect system are commiting a breach of security then it would mandate a system level interrogation that I would employ either EE against or, preferably, I would use something like Helix to access the system that cannot be taken down and Netcat off the image to a remote storage device for later examination.

This whole process relates to having a forensic toolkit rather than reliance on one piece of software and is fundementally underpinned by the ACPO Guidelines against which all work is undertaken.

As for what tool to use to do the initial network collect - I use an award winning network forensics tool from an A List company though it is not EE.

Hope this goes some way to explaining an approach,

Jim

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
378 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed