Friday, June 16, 2006

Case Issues

Sitting in my own little microcosm, my own little piece of the world, I tend to wonder sometimes if folks run into the same issues I do during a case, and if so, what they do about it...or, if not, what issues they do run into. I know lots of folks, in particular LEOs, don't usually discuss their cases, for fear of revealing too much information about the case...but for those willing to share bits and pieces of problems and solutions, I think that we could all benefit.

So, what are the issues you run into during live response (if you do live response)? Is it being surprised and unprepared? Is it not having the tools you need, either for collecting or analyzing evidence?

How about post-mortem investigations? What issues do you run into with regards to Windows systems?

One of the biggest things is that each case is different somehow...but I can guarantee you that somewhere, someone else has run into the same issues, and possibly come up with a solution.

As always, questions, comments, and concerns are welcome...


Atilla said...

Legal handing over a box of Fedex-ed laptop for forensic review.

Box torn open, and they tell me they could not find anyting on it... They turned it on, and "checked it" with Windows built-in search...

du212 said...

This would be a good book topic and I certainly wouldnt mind reading a book with example case studies...
Alas, I dont have the time (at the moment) to write further, i will comment the following outline for consideration:

Case of the Encrypted Disk
Case of the Wiped Drive
Case of the Backdated Word Doc
Case of the Pwd Protected Ediscovery Files
Case of the External USB Drive
Case of the 4 SATA 250 gig Drive Acquisition
Case of the Event Log-VPN connection Intrusion
Case of the Foreign Language Conversion
Case of the NSF to PST production
Case of the Metadata ediscovery search
Case of the Macintosh Analysis
Case of the Suspected Porn Review
Case of the Email Delta Production
Case of the Last User Activity
Case of the Emptied Recycle Bin
Case of the Web Access Intrusion

Keydet89 said...


Some of those sound really interesting. I wish you had time to elaborate on some of them.


Anonymous said...

Whilst new to the world of computer forensics (only been doing it now for a little over 12 months as a LEO), I note that apart from Encase Enterprise, and Prodiscover Incident Response (both two very expensive solutions) I have not located a tool that lets you conduct a text search of a live windows system at a physical disk level (ie. across active, deleted and unallocated disk space).

Attending warrants where it is not feasible to shut down an enterprise server, but still needing to conduct a search at the physical level to identify evidence meeting the terms of the warrant (hence permitting imaging of the server), I am suprised that no simple grep/command based tool exists that could be contained on a CD/Thumbdrive. Obviously such a tool would have to leave a minimal footprint, be windows/DOS based and minimise changes to system (such as MAC dates).

Please correct me if such a tool does exist.



Anonymous said...

You can use Diskprobe which comes as a part of the Microsoft Support Tools. It's a Disk-Editor, as far as I know no need to install, has a small footprint (~90 KB executable + some windows builtin dlls) and has the ability to search at the physical disk level, ascii and unicode supported. One drawback is that if you want to search unicode & ascii you have to search twice, it's either unicode OR ascii ...