The Forensics Method
Contents
Forensic Soundness
- Defensible
- Repeatable
What about when things aren't forensically sound?
- What if you can't use a write blocker?
- What if access is time constrained?
- What if the computer is off
Even if the evidence can only be collected (with modifications), it is still admissible provided it is documented and logical
Principles of Handling Digital Evidence
- Follow all general forensics and procedural principles
- e.g. Be invited into the case
- Actions taken to obtain evidence should not change the evidence
- Access to the original digital evidence should only be permitted by a person trained for purpose.
- All activity relating to the seizure, access, storage or transfer of evidence must be documented
- An individual is responsible for all actions taken whilst digital evidence is in their possession
Need to go to the toilet? You need put things back and document it
Pre-seizure
Document the state of the room, i.e how many computers, how many devices, how many devices are on.
Lead Investigator
-
Ethics Investigator
OFTEN AN INDEPENDENT LAWYER
The ethics investigator is responsible for directing which assets and documents are part of the scope. Without explicit consent from the ethics investigator, an item cannot be seized.
Conflict
What if the lead investigator and ethics investigator have different 'opinions'.
Probably don't work on the asset.
Seizure
Depending on the type of seizure method, certain parts/items may not be part of the scope.
For example, if a warrant is regarding the emails in an Outlook desktop client, the system's recycling bin folder (and unallocated) space is not part of the warrant scope.
If an entire image of the disk is required, then whilst the recycling bin folder will be included in the image dump - the recycling bin folder cannot be used as part of evidence.
What if I can't seize everything in time?
e.g. Hard drive too big to dump everything?
Work Journals
Notes, general observations
Acquisition Sheets
Formal documents (later submitted)