First forensics work – Part 1 Organized chaos and panic

48次阅读
没有评论

You’ve taken the plunge. You want to work in digital forensics. Congratulations. You’ve told your boss of this interest, managed to get some forensics training (SANS FOR508 of course! ) and hyped up the type of things you would be able to accomplish. You feel good about yourself.

Until now.

Two months after your course.

And you haven’t had time to practice anything, let alone review the material.

The situation: You were called in and asked to use all of these new skills to help solve a problem. And the pressure is on, as they want some answers by the end of the day. Now you are wondering why did I tell them I wanted to do this again?

Don’t panic.

You can do this. We’ve all been there. All you need is a little help from your friends.

The goal of this series is to help guide you through a case, and provide suggestions on how you would go about attacking the problems you will face. So let’s get down to business.

Probably one of the easiest tasks is acquiring the images from computers you can walk up to and physically touch. And the easiest way I have found to do this is with the Helix 3 PRO program that comes with the Forensics 508 classes now. Pop the DVD into the computer in question, attach a USB drive and launch Helix.

Helix will allow you to image the hard disk, create the hashes, and the chain of custody forms for you all with the click of a button. The latter two being little things that you may forget to do right away or at all.

One final thing you need to remember at all times, is to take notes of what you are doing, where you are doing it and when. This will save you time later when, for example, you need to remember if you typed a command or not. Even those fat finger mistakes. Make sure you note it. It makes it so much easier when you need to dig deep later.

Next up, Part 2: Imaging those remote systems.

Jonathan works as a Senior Technical Specialist in IT Security for the Canadian federal government. He is a SANS mentor, a GIAC question writer and he holds numerous certifications including GCFA and GWAN. When not working, his spare time is filled by his 3 young daughters.

正文完
 0
评论(没有评论)