Digital Forensic Investigation
The handling of evidence at the scene is critical to maintaining the integrity of the evidence (Bunting, 2012, p. 90). Proper tools for acquiring the evidence at the scene are essential. These tools can be categorized as discipline-specific hardware and software, and general tools and supplies. Bunting (2012), Gogolin (2013), Kral (2011) and Nelson, Phillips and Steuart (2010) provide lists of item that a digital forensics investigator should have at the scene. The table at the end of this section summarizes the suggestions of these authors.
Hardware & software
Data acquisition, particularly preserving volatile data, will be foremost in the mind of the digital forensics investigator upon arrival at the scene of the incident.
If the machines are running, and particularly if the machines must not be shut down to maintain the core business function, volatile information, such as the contents of RAM, USB drives are important for capturing information live machines. To image RAM on a Windows machine, the USB drives should contain WinEn. WinAcq should be included for a live Windows acquisition, and MacLockPick for acquiring data from live Macintosh and Linux platforms (Bunting, 2012, p. 96). …show more content…
The investigator should have a dedicated incident computer housed in a rugged case, such as those made by Pelican® (Gogolin, 2013, p.
16). If resources allow, a spare response computer is suggested (Bunting, 2012, p. 96). A hardware disk imager is recommended (Gogolin, 2012, p. 16); although disk imaging capabilities are also present in certain forensic software (see below). A hardware write-blocker is recommended; although, software write-blockers are also available (see e.g., Lyle,
2006).
An imager for mobile devices is required, such as a Cellebrite UFED Mobile Forensic Toolkit, should be included. Forensically-wiped hard drives are necessary for imaging onto, particularly if a compromised machine is part of a larger network and cannot be removed. Cables for all of the investigators hardware are required. Additional cables for any device that may be encountered are suggested, including power cables and a power strip.
Forensic software is required (e.g., EnCase® from Guidance Software and/or Forensic Toolkit® (FTK®) from Access Data). HBGary Responder Professional is an application for analyzing the results of unformatted RAM dumps (Gogolin, 2013, p. 40).
Manuals for all software and hardware should be available on the Web as well as on the response computer. If computers will be transported from the scene, then protective materials for the hardware should be included (e.g., static-shielding bags, bubble wrap, blankets and boxes).
General supplies
The incident response team will require a number of additional tools. Chain of Custody forms should available. Various tools for documenting the scene include a camera, indelible markers, colored pencils, labels and paper.
At the scene, investigators may need a variety of tools, such as screwdrivers, wirecutters, scissors, suction cups, a magnifying glass and a headlamp to provide “hands-free” lighting. A number of additional items for the health and safety of the investigator are suggested, such as a first aid kit, hand sanitizer, latex gloves, food and water. An up-to-date contact should be included with a list of important personnel on the incident response team and local electronics supply stores.
A checklist to keep track of the contents of the “jump bag” is required.
Hardware & software
Data acquisition, particularly preserving volatile data, will be foremost in the mind of the digital forensics investigator upon arrival at the scene of the incident.
If the machines are running, and particularly if the machines must not be shut down to maintain the core business function, volatile information, such as the contents of RAM, USB drives are important for capturing information live machines. To image RAM on a Windows machine, the USB drives should contain WinEn. WinAcq should be included for a live Windows acquisition, and MacLockPick for acquiring data from live Macintosh and Linux platforms (Bunting, 2012, p. 96). …show more content…
The investigator should have a dedicated incident computer housed in a rugged case, such as those made by Pelican® (Gogolin, 2013, p.
16). If resources allow, a spare response computer is suggested (Bunting, 2012, p. 96). A hardware disk imager is recommended (Gogolin, 2012, p. 16); although disk imaging capabilities are also present in certain forensic software (see below). A hardware write-blocker is recommended; although, software write-blockers are also available (see e.g., Lyle,
2006).
An imager for mobile devices is required, such as a Cellebrite UFED Mobile Forensic Toolkit, should be included. Forensically-wiped hard drives are necessary for imaging onto, particularly if a compromised machine is part of a larger network and cannot be removed. Cables for all of the investigators hardware are required. Additional cables for any device that may be encountered are suggested, including power cables and a power strip.
Forensic software is required (e.g., EnCase® from Guidance Software and/or Forensic Toolkit® (FTK®) from Access Data). HBGary Responder Professional is an application for analyzing the results of unformatted RAM dumps (Gogolin, 2013, p. 40).
Manuals for all software and hardware should be available on the Web as well as on the response computer. If computers will be transported from the scene, then protective materials for the hardware should be included (e.g., static-shielding bags, bubble wrap, blankets and boxes).
General supplies
The incident response team will require a number of additional tools. Chain of Custody forms should available. Various tools for documenting the scene include a camera, indelible markers, colored pencils, labels and paper.
At the scene, investigators may need a variety of tools, such as screwdrivers, wirecutters, scissors, suction cups, a magnifying glass and a headlamp to provide “hands-free” lighting. A number of additional items for the health and safety of the investigator are suggested, such as a first aid kit, hand sanitizer, latex gloves, food and water. An up-to-date contact should be included with a list of important personnel on the incident response team and local electronics supply stores.
A checklist to keep track of the contents of the “jump bag” is required.