Tutorial - Computer Forensics Process for Begginners

Computer forensics is currently a very popular term, and a lot of conferences are organized and books written on the subject. This, together with the popularity of the CSI series, brings an aura of certain very special, even magical steps that forensics teams use. In reality, the computer forensics job is a standard process, and every one of us does parts of the process when we debug our computers. So, here is a simple tutorial on what is involved in computer forensics:

Computer forensics process

Below is a diagram of the forensics process. It is a generic process, but applies in computer forensics.

In order to properly apply the forensic process to computers, let's expand the generic diagram into the following:

As you can see, in computer forensics, a lot of evidence can be collected while the computer is running. That is a one-shot chance, and you'll never have it again when you turn off the computer.

Your Forensic Toolkit

Every trade needs it's tools. For the beginner investigator, here is my recommended toolkit:

  1. Helix forensic CD - your basic tool for the investigation
  2. Digital camera - capturing physical state of the suspect computer
  3. Evidence USB - 4 GB Capacity - for removing smaller evidence files from the evidence computer
  4. Evidence USB hard drive (500 GB will be enough for most purposes) - for making an evidence copy of the disk drive
  5. Analysis computer - probably a laptop, but sparkling clean - no viruses, Trojans, cookies or similar wildlife on it, since they can corrupt the evidence. Even if the evidence isn't corrupted, it may be considered as contaminated and become inadmissible in a formal case.
  6. VDK driver, for the analysis computer (if using windows) - this driver will enable you to mount a DD image created during the evidence collection
  7. Antivirus/Antispyware/Rootkit detector software for the analysis computer
Steps of the forensic process process
1. Evidence collection

1.1. While the suspect computer is running

  • Make an image of the RAM Memory, and store it on the evidence hard drive/USB. Make MD5/SHA1 hash of the image and save it and write it down in a notebook.
  • Make an inventory of all processes, network connections, installed software, hardware, everything you can about the computer. Save this in a file on the evidence hard drive/USB. Make MD5/SHA1 hash of the file and save it and write it down in a notebook

1.2. When the suspect computer is off

  • Make an image of the hard disk drive and store it on the evidence hard drive/USB. Make MD5/SHA1 hash of the image and save it and write it down in a notebook
  • Photograph the suspect computer from all sides. Save the pictures on on the evidence hard drive/USB. Make MD5/SHA1 hashes of the photographs and save them and write them down in a notebook.
  • If any immediate physical tampering is apparent, photograph it specifically, and possibly expand the investigation with a forensic expert who will look for evidence regarding the tampering method (fingerprints, tool markings)
  • Open the computer and photograph the interior under good lighting. Save the pictures on on the evidence hard drive/USB. Make MD5/SHA1 hashes of the photographs and save them and write them down in a notebook.

2. Evidence analysis

  • Load copies of the evidence images into your analysis computer. Confirm that the copies have the same MD5/SHA1 hashes as the original noted ones.
  • Search the raw images of the ram memory and the disk drive for strings, and save them for future reference

All following steps need to be used in the context of the investigation, so there is no specific exact step to use

  • Review the strings dump for specific keywords
  • If there are specific keywords related to your investigation ('payroll', 'salary', 'password', someones user name or e-mail address), search for those strings in the raw images. Save the results for future reference.
  • Mount the disk drive image as a read-only drive. Scan the drive for viruses, rootkits and spyware. Save the results as screenshot or log file
  • Analyze the event log of the suspect computer for any anomalies. Log anomalies with times of occurrence
  • Analyze the running processes log of the suspect computer for any suspicious processes. If found, refer back to the memory dump to investigate the process (memory content, using a hex editor and string search)
  • Find pics/movies/docs/web-mail and log positions for review. Alternatively, review them immediately for specific issues
  • If applicable, use steganography detection software to detect hidden data in images and music.
  • Analyze browser cookies for connection to specific sites or Internet activity
  • Analyse e-mail records for connection to specific sites or Internet activity
  • Investigate files in slack space (deleted from the File Allocation Tables but not physically from the disk)

3. All incriminating evidence (context dependent) are to be logged with original timestamps and with appropriate presentation (screenshots, text dumps, audio recording)

This is by no means a definitive and final tutorial. Shortinfosec will follow-up with excersises and a demo dump for the readers to dissect in the comfort of their own home.

Talkback and comments are most welcome


Shane said...

The integrity of the evidence is the most important... Also, if you are doing a forensic procedure, keep a notebook containing the dates and times of what you did, and why you did what you did.. This comes in handy in court, when you are presenting your findings, and enforces the integrity of the collected evidence. Again, write down checksums!

Bozidar Spirovski said...

One must be very careful in collection. A friend of mine actually takes photos on photographic film (not digital) of the SHA1 hash of the evidence image.
Also, one must be very careful in keeping the evidence - a non-eraseable copy (CD/DVD) is very desirable, but difficult for large drives

Anonymous said...

Not to be nitpicky but anyone ever introduce you to spell check ?? lol

Anonymous said...

Where to download the VDK driver?

Festival Blog said...

Happy diwali Images
Happy Dhanteras
happy diwali photos
happy diwali quotes
happy Diwali image
happy Diwali Picture
Diwali images

Anonymous said...

This report will surely going to help us many. CrazyBulk

Anonymous said...

I really like this short takes security. Click This Site

fotorus said...

It is a great article. You will surely like this also because it is a great stuff, yeah it’s give us lots of interest and pleasure. Their opportunities are so fantastic and working style so speedy. Thank you for sharing the nice article.

Anonymous said...

This information is really wonderful for beginners. Charlotte White's Tubeloom

Anonymous said...

Although you written this post for beginner but still many people don't know about this. Click This Website

Anonymous said...

Thanks for pointing out this system. I really enjoyed it. Visit This Website

Anonymous said...

I am glad you shared this quality info. It is awesome. realonlinereview.com/hard-on-demand

Anonymous said...

I really love this Information Security Short Takes. Penis Enlargement Bible real online review

Anonymous said...

I love the way you suggested about information security short takes. Get A Bigger Penis realonlinereview

Normalnya Keluar Darah Setelah Keguguran Tanpa Kuret said...

Bermanfaat sekali
Normalnya Keluar Darah Setelah Keguguran Tanpa Kuret
Salep Gatal Selangkangan Yang Aman Untuk Ibu Hamil
Makanan Untuk Memperbesar Sel Telur
Obat Penggemuk Badan Yang Aman Buat Ibu Menyusui
Cara Menghentikan Pendarahan Setelah Keguguran Tanpa Kuret

Designed by Posicionamiento Web