Forensic Procedures - PowerPoint PPT Presentation

About This Presentation
Title:

Forensic Procedures

Description:

Determine other equipment and software needed to carry out the investigation. 7Apply special software like Encase to recover erased data. Forensic ... computer has to ... – PowerPoint PPT presentation

Number of Views:173
Avg rating:3.0/5.0
Slides: 9
Provided by: ops68
Category:

less

Transcript and Presenter's Notes

Title: Forensic Procedures


1
Forensic Procedures
  • 1. Assess the situation and understand what type
    of incident or crime is to be investigated.
  • 2. Obtain senior management approval to proceed
    with an investigation.

2
Forensic Procedures
  • 3. Carry out procedures to freeze audit trail,
    e.g., sending a court order to the Internet
  • service provider (ISP) to provide access to the
    suspects Internet data, copying emails,
  • imaging hard disks, identifying remote storages
    and imaging the relevant disks and
  • RAM. In some cases, a warrant is necessary. The
    organizations lawyers should be
  • consulted with respect to police involvement.

3
Forensic Procedures
  • 4. Apply packet sniffing.
  • 5. Review system logs.
  • 6. Determine other equipment and software needed
    to carry out the investigation.
  • 7Apply special software like Encase to recover
    erased data.

4
Forensic Procedures
  • 8. Avoid shutting down the suspected computers,
    connect uninterrupted power supply
  • (UPS) to keep the computer on, so as to prevent
    loss of data or system audit trail. If
  • UPS is not available and the computer has to be
    moved, unplug it instead of using the
  • operating system to shut it down unplugging
    will involve less interference with the
  • audit trail.

5
Forensic Procedures
  • 9. Scan imaged drives and copied emails for
    viruses.
  • 10. Back up the evidence.
  • 11. Use the organizations PKI key recovery
    process to decrypt files. If that does not
  • work, use password cracking software to obtain
    the password for the encryption key.

6
Forensic Procedures
  • 12. Boot the captured or suspected computers
    with an external boot disk instead of using
  • the computers operating system to avoid loss
    of audit tra
  • 13. Document all sequence of events, all
    interviews, time spent by each investigator and
    the work performed by each investigator.
  • 14. Maintain arms length with the people being
    investigated, the requester of the investigation,
    the approver of the investigation and people who
    provide information
  • to investigators, to avoid conflict of
    interest.

7
Forensic Procedures
  • 15. Continuously assess the need to communicate
    with the law department, senior
  • management and the police.
  • 16. Do not communicate information about the
    investigation using post mail or an
  • unencrypted electronic medium.
  • 17. Be a patient listener, ask open questions,
    make others comfortable in talking to
  • you, take copious notes.

8
  • 18. Safeguard the investigation files with
    encryption and physical measures.
  • 19. Keep all evidence, including electronic media
    for a case all together as complete audit trail,
    with proper cross references to source, date,
    sequence of events etc.
  • 20. Dispose of unneeded electronic evidence by
    using the organizations approved data wiping
    software and standard procedures, including if
    necessary, corporate approved
  • vendors for media storage, backup and
    destruction.
Write a Comment
User Comments (0)
About PowerShow.com