Menu
▾
▴
Re: [ISECOM-HACKERHIGH-DISCUSS] Chapter 8 summary review
|
From: Rick T. <ri...@is...> - 2006-06-26 21:03:58
|
Not sure what happened here, but neither of the posts below are showing up in the archive. I'm resubmitting them for anyone who didn't get them. Rick -- Rick Tucker - HHS Project Manager - ri...@is... ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST) and OSSTMM Professional Security Analyst (OPSA) certification authority. Stacey Bryden has posted a revision of the Chapter 8 lesson summary on the HHS discussion list. Please give her your comments and feedback. If you haven't signed up for the discussion list, you can do so on the HHS site. -------- Original Message -------- Subject: Re: [ISECOM-HACKERHIGH-DISCUSS] Chapter 8 summary review from Rick Tucker Date: Wed, 21 Jun 2006 11:38:14 -0700 (PDT) From: im 414345 <im4...@ya...> Reply-To: Discussion list for the Hackerhighschool Project <ise...@li...> To: ise...@li... I want to thank everyone for the feedback provided to me on my first draft efforts. I have attempted to meet all the comments and expand the summary as needed. Here is the modified version for your review. Stacey Summary: Forensics has expanded to include all types of digital devices such as mobile phones, PDA?s and more. While the scope of the field continues to expand there are key elements that remain constant. Maintaining a structured approach to the process and ensuring adequate records are created is a cornerstone to all investigations. Failure to maintain proper documentation and chain of custody of evidence will have a negative impact on the outcome of a case. While forensics primarily focus on retrieval of information from hard drives, CD?s, and other digital media there are other key sources such as firewall and IDS logs that are often included in the context of an investigation for event correlation. Linux has become a primary operating system for performing forensic discovery for a variety of reasons including the ability to recognize various file system types. Linux is widely accepted within commercial and law enforcement fields as the leading platform in forensic cases. This largely stems from the ability of Linux to understand and mount a wide variety of file system types as well as its protective abilities by providing the ability to mount various media in read-only mode without requiring hardware intervention (such as jumper settings on hard drives that can be easily forgotten). This is not to say that Windows based forensic tools are not utilized for many organizations will at times use both system types. This can be to provide for corroboration of evidence and also to provide for the technical knowledge of the investigators involved or organizational preference. The National Institute of Standards and Technology (NIST) has the Computer Forensic Tool Testing Project to independently test and evaluate the performance for write block tools and devices and disk imaging tools providing a level of standards to assist investigators. There are several issues that can be encountered in a forensic investigation. When the suspect has made attempts at avoiding recovery, encryption is often used to guard data however recovery can be possible through efforts such as brute force, dictionary attacks, and attempts with previously used passwords. Other common issues involve maintaining: proper procedures for seizure, the chain of custody, and proper documentation. Without standard procedures and appropriate documentation presenting evidence that could stand up in a court of law becomes difficult. Forensics is a constantly expanding field with more digital evidence being collected to provide additional support on cases as varied as murder, harassment, hacking and more. With the growing dependency on technology more data is being generated providing for more detailed assessments of events and supporting physical evidence in cases. Assignment: If you were given a case, where would you start? What evidence would you ?tag and bag?? What procedures would you follow? What would you log? Consider the potential for going to trial on the case. How would this affect the type of evidence gathered and the methods used? Would a trial affect the types of logs and the detail of the records that were kept? In the event of a trial appearance, would you be able to defend your work and discovery process with ease? Six months after the investigation has ended and you have worked other cases? A year? Would you be able to provide credible testimony with the records and detail level that were kept? If not what additional efforts could be made to facilitate this effectively? ------------------------------------------------------------------------ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta. <http://us.rd.yahoo.com/evt=40791/*http://advision.webevents.yahoo.com/handraisers> |