A Geek Raised by Wolves - Four Rules for Investigators [entries|archive|friends|userinfo]
jessekornblum

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

Four Rules for Investigators [Jan. 6th, 2011|09:51 am]
Previous Entry Add to Memories Share Next Entry
[Tags|]

For my Crash Course in Computer Forensics I came up with four rules to keep investigators out of big trouble. Obviously it's still possible to mess up when following these, but breaking any of these will be, to use the technical term, bad. What do you think? Are there are other cardinal rules for computer forensics? Do these apply to any other fields?

1. Have a plan - What are you looking for? How do you know when you're done? If you don't find what you're looking for, how long are you prepared to spend on the search? Your plan doesn't have to be set in stone. It can change based on things you find.

2. Have permission - You must have permission to look at the data in question and that authority must be granted by somebody who has the authority to do so. Sometimes this is cut and dry; the search warrant from the judge literally commands you to do something. But in a corporate environment it can be far more complicated.

3. Write down what you do - Take notes. Document what you're working on and what you do to it. Make and model names, serial numbers, locations, procedures, imaging techniques, write blockers. Any time you touch a piece of original evidence, write it down.

4. Work on a copy - Once you've imaged your original evidence, lock it up. Only work on copies. You can't break something you're not touching.
LinkReply

Comments:
[User Picture]From: cipherpunk
2011-01-06 04:28 pm (UTC)

(Link)

Video recording. Consider physical forensics: if the evidence is uncontestable, lawyers will instead contest the professionalism of the people doing the evidence collection and/or conducting the analysis. The same techniques can be used to discredit digital evidence. Have a video record of all your interaction with original source material, from the time you enter the scene to the time the original evidence is locked up.
[User Picture]From: cipherpunk
2011-01-06 04:36 pm (UTC)

(Link)

I feel like I should note that a lot of really good forensics work was done in the pre-video era. However, given how cheap video recording gear is nowadays and how much video can fit onto a single SDHC card, I think recommending video is a prudent nod towards modernity. This wouldn't have been practical ten years ago, but it's practical today, and only becoming moreso.
[User Picture]From: jessekornblum
2011-01-07 01:04 pm (UTC)

(Link)

I think videotaping an examination falls into the category of #3, which perhaps could be generalized as, "record what you do." Whether that's by taking notes, videotaping, audio recording, a script log, or some other means. But you make a good point. Video tape is cheap! (Even if it's not really tape any more...)
(Deleted comment)
(Deleted comment)
[User Picture]From: jessekornblum
2011-01-17 12:41 pm (UTC)

(Link)

Be disappointed all you want. I've been thinking and, you know, working that day job thing.

Handling contraband is certainly a concern, but I'm not sure it's something unique to forensics investigations. It's topic for system administrators, or really anybody who comes into contact with other people's data on a computer. Most of those behaviors are governed by law, not by judgement.
[User Picture]From: reboot_kid
2011-06-24 11:50 pm (UTC)

(Link)

Got linked in over from Reddit.
One thing I'd suggest is "Have a clear escalation path."

This isn't so much a big deal when its a court order. You're told exactly what to do, and who receives the result of your research, etc.

When its corporate work, it gets a bit nebulous. I've been tasked with going and checking to make sure that an employee isn't violating a financial ethics clause in their AUP. I discovered something very illegal. In this specific case, I had guidance to engage the corporate legal team, and we jointly contacted law enforcement.