Hello everyone, there seems to be a wide variety of culture on this forum, from prospective to educated, young to aged. I think it would be great for everyone to get to know some of your makes or breaks, I think it would be interesting to get to know stories behind some of our examinations.
So if you feel comfortable, and have the time, please share any event in which you were the least/most successful.
This could range from loss of an entire drive to days of searching to finally fall upon a significant file.
Peace.
Huttie0,
While I'm trying to come up with something, I'd like to hear your story(ies)…
Considering I'm an undergraduate studying the field, I don't have much experience in it.
The worst thing that happened to me has been having a visual display on Encase enabled and me not understanding the reasoning as to why my hex viewer was set to Big-Endian and in groups of 4 bytes… P
Mine would be my first case using a DD image with EnCase. I didn't realize at the time that EnCase does not automatically load the other dd images into the image set automatically (like it does for E01 images). I spent a few hours wondering why everything I was looking at had no data in the view pane.
I finally realized going to lunch what I did. Needless to say I never did that again. )
Tom
I've always found a great deal of success writing my own tools, be they Perl scripts, or ProScripts for use with ProDiscover. After creating my initial timeline tools, I had an opportunity to use them on a PCI forensic assessment case, and found a great deal of extremely valuable data. When I say "extremely valuable", I mean that I was able to very clearly show the window of exposure for credit card data, as well as provide a very detailed timeline of relevant activity.
In another PCI-related examination, detailed Registry analysis of multiple systems allowed me to illustrate to the customer (and hence to the PCI council) that while there was a small amount of PCI data on one server, it was highly likely that the intruder never found or opened the files. This appeared as a case study in chapter 8 of WFA 2/e.
Finding the entire questionable transaction in clear text located in the Pagefile! This is why is so important to treat certain levels of volatile data with urgency.
Most successful moment(s) Going over 8 hours without the "Dongle Removed" message in older versions of EnCase.
Least successful moment Indexing a case with EnCase.
😉
I don't have a lot of stories, but certainly my most gratifying (and successful) one is as follows
A young couple (late 20s) bought a new house. While a contractor was doing some followup work on the new house, he saw what appeared to child porn displayed on a laptop that was sitting on a dining room counter. The image displayed what he described as a naked young man with a page boy haircut, posed spread-eagle. He reported it to local law enforcement immediately. Both the man and his wife were elementary school teachers. The accusation, particularly if it were true, or left unresolved, would have been highly traumatic to their careers and their lives.
A search warrant was served and I ended up doing the forensic examination.
After a thorough exam, I found no evidence of child pornography on the laptop. What I did find were a two photos, in a folder marked "Family Pictures" that appeared to be a scan of an old picture with a titles that were the wife's name and a date about 20 years ago. The wife (about age 9 at the time) was naked, had a pageboy haircut, and appeared to have been photographed while dancing or something similar (the second image showed her standing on her head.)
I know that a lot of families have pictures of their kids when they were small, naked or partially dressed. My own mother (now in her 80s) has a pictured buried away somewhere of me in the bathtub at about 4 years of age. I suspected that this was a similar situation.
I exported the picture out of the EnCase image and provided it to the investigator. Consensus on the picture was that the image didn't show anything sexual in nature and didn't constitute child pornography. I asked the investigator to check with the witness and see if this was the image he was referring to. It was. No crime, no harm, no foul.
It was extremely gratifying to be able to clear someone of a charge that would have destroyed both of their lives.
Worst While in middle of nowhere PA at my company's biggest client, for a brief second, I connected a hard drive adapter upside down (with the power live..uhg) needless to say the drive was toast and at first I thought my career was as well. Long story short, replaced controller card and everything worked out but not without getting a few of the big wigs upset.
Best Have plenty of those good moments, but one of the best was when me and a team of 4 other people imaged 100 desktops/laptops and 6 servers within 48 hours.
I am 22 and fairly new in my career. A rookie if you will. But the moment that will forever stay with me as one of the BEST moments while annalysing was my second solo case. It was on a topic that I have not read alot about and had vast knowledge i.e peer to peer downloading using Limewire,Kazaa and so forth. It was an internal case and I managed to understand how to do the investigation and successfully finish the investigation. This helped me gain alot of confidence I needed. The worst moment for me was when I did not understand why FTK was not picking up my E01 images on my external HDD, after nearly and hour of sweating I realised that I did not connect the power.