Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)

[<Fra...@ps...>]

My two cents. (I don't have my glasses so forgive my unproofed response.)

This is something that I've not seen a lot of and feel this topic is 
overdue.

As was stated before getting to the disk and finding files is for most 
security professionals a no brainier.  This isn't where the problem 
exists.  It's with the legal system and how specific forensic examinations 
should be done.

There are a number of types of cases which the examiner needs to know what 
he should focus his examination on.  I feel this is imperative.  If for 
example you're given a computer and told "find something" you could be 
there for an extended amount of time spinning your wheels and hours of 
chargeable time to a case for almost very little result.

That would be the purpose of the chain of custody prior to the forensic 
examination.  With the newly imaged drive the examiner can pretty much run 
tests to determine certain criteria on the system.  As long as the 
original evidence can be used to make another image and the defense or 
prosecution can use the original evidence and methods to recreate what has 
been discovered then I personally see no reason why an examiner cannot be 
told there may be child porn on this drive.  I think what's at question 
here is not so much the what as the how.  How something was discovered. If 
you have a legal warrant and confiscate a suspects computer then that 
evidence would be use in that case for the purpose of determining if they 
can discover supporting data.

This is a good reason why this type of forensic examination is very 
expensive.  I would personally charge by the hour at $150 to $300 an hour 
fot this type of work depending on the case.  Nothing less.  (rant: I 
don't really see the necessity of a CFE type of certification because it's 
not how you use the tools it's how you've collected the data and followed 
the appropriate CoC.)  All the certification in the world isn't going to 
provide you with enough knowledge as a good auditor. - That's just my two 
cents SANS. Like the old adage, 'it's not over till the paper work is 
done".

A good example would be in a non-criminal case. An investigation into 
weather someone is cheating on a spouse. You're given a computer and told 
'find something'.  In this type of case the forensic examiner would 'need 
to know' that he's looking for any signs of a cheating spouse.

I'm not an attorney, that's just my blurred two cents.

Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
(210) 301-6433 - (210) 887-6985



"Svein Yngvar Willassen" <sv...@wi...> 
Sent by: sle...@li...
11/20/2006 01:40 AM

To
<sle...@li...>
cc

Subject
[sleuthkit-users] What information is needed to do a digital    forensic 
analysis? (was: RE: Examining RAID-5 with only 1 drive)







> The lawyer does not want to give us too many details.  She thinks it
> will damage our impartiality.

This is interesting. In classic forensics, where the task can be 
explicitly
defined, this attitude is appropriate. For example: 

- tell me if fingerprint A and B match
- tell me if this hair comes from the same person as this blood sample

I think the opposite is the case in digital forensics. In digital 
forensics,
the task is (usually) to find the evidence, given a large heap of
information. Say for example a 50 Gb hard drive.  Since it is impossible 
for
the investigator to know in advance what kind of evidence may be on the
drive, he must imagine possible evidence items based on an assumption of
what could be on the drive. Valid assumptions can in my opinion only be 
made
if the investigator has access to all possible information about the case.

After all, you only find what you look for.

Any thoughts?

Regards,

Svein Willassen
--
Researcher
Norwegian University of Science and Technology



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share 
your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org