only conduct analysis on a copy of the data.
Fill evidence form, have IT manager signĪ bit-stream copy will clone a disk as another disk, resulting in a exact functioning replica disk, but a bit-stream image will copy all the exact data, but into a file instead - known as the image file THE FIRST RULE OF FORENSICS. Instruct interrogator/interviewer (or yourself) on what questions to ask and what answers should be. : to get a suspect to confess Role as an investigator: : conducted to collect info from witness / suspect Get keywords for disk forensics and sniffer. Consult corporate attorneys & upper management. Only initate investigation after approval from management. Network specialist who can perform log analysis and set up network sniffers. Tech specialist knowledgeable of the suspected compromised technical data. Computing investigator personnel to do disk forensics. Should be treated as criminal investigations. Writings to the attorney must contain a header stating "Privileged Legal Communication - Confidential Work Product". Minimize written communications with attorney. For unallocated data, use a tool to remove non-printable chars. %PARENTKEY ERROR PRODISCOVER BASIC SOFTWARE
Obtain appropriate software for proprietary non-plaintext formats.Use tools to extract data from registry.Compare hash signatures between original and recreated disks.Use different tools for disk drive images.Get a list of keywords & run keyword searches.Request memorandum from attorney directing to start the investigation.Attorneys like print outs of recovered data, but they need to be educated that digital evidence can be viewed on a computer ProDiscover Basic 6.5.0.0: Timestamp range: 2038, 2107 2174, 2242 2310, 2378 2399 (all ranges examined) Timestamps prior to, and sometime after 3000, are uniformly translated as 00:00, making it impossible to determine actual time for these ranges.extract all related e-mail address information using forensic software's keyword search.Obtain suspect's and victim's e-mail folder / data.access to e-mail server if e-mails are stored there.copy of offending e-mail with message header data.
Get proxy server log from network admin.Organization's Internet proxy server logs.Private-sector investigations Employee termination
Evidence tape to seal CD drive bays, I/O cable slots. Include generated report from the forensic analysis tools. Plan chain of custody - transport of evidence & in an approved secure evidence container. Determine preliminary design or approach.
0 kommentar(er)
