Garcia will be teaching "Forensics 508: Computer Forensic Investigations and Incident Response" at SANS London 2010.
Let's say we're looking at a cyber crime scene comprised of several still powered on computers. When the forensic investigator arrives, what does his workflow look like?
The most important first step is to do a careful analysis of the situation and use your common sense and experience to make an educated decision about the actions to take.
Even in such an apparently simple scenario, there are multiple possible variations such as type of incident or crime, corporate environment, operating systems and hardware environment which will determine your course of action. It is important to gather as much information as possible about what happened before you start making any move. So the first step typically is to perform a quick interview of anyone who can provide that information and a review of the crime scene environment.
After that, going down to the technical procedures, the first thing you will do is acquire the volatile evidence first, i.e. that evidence that may disappear or change quickly with your actions such as the information stored in memory, the network connections, running processes, etc. This may or not be easy (or at all possible) depending on the degree of access to the computer. Fortunately for us, the latest advances in forensic research have provided useful techniques that have opened new possibilities for the investigator, such as acquisition of memory through the Firewire port, acquisition of "cold" memory (Cold Boot Attack), advanced analysis of the memory and others.
Then you would do an acquisition of physical storage such as hard drives, USB drives, memory cards and removable disks. There are multiple ways and utilities, hardware and software to do the job: from forensics hard drive duplicators and write blockers, to forensically sound live CDs or software utilities. In the real world some of them will be more suitable than others depending on the situation.
You will typically create one or two copies of those original drives (one for analysis and one for backup in case something happens to the first one). Eventually, if you need to retain the original hard drive as evidence, you will also need to clone it and restore it into the system to ensure its operational continuity. You will place all this evidence in appropriate anti-static bags and then in tamper-proof evidence bags.
These steps need to conform to an appropriate set of processes and procedures that guarantee that you do not modify the original evidence or as little as possible according to the circumstances. Careful documentation of all the steps taken, integrity hashes, and everything that can be considered relevant in that process are vital.
What advice would you give to those interested in specializing in computer forensics?
Computer forensics is a fascinating world. It is the only area in computer security that you will get to deal at the low level with all types of operating systems, network devices, CCTV cameras, VoIP/PBX systems, network traffic, etc.