Garcia will be teaching "Forensics 508: Computer Forensic Investigations and Incident Response" at SANS London 2010.
Let's say we're looking at a cyber crime scene comprised of several still powered on computers. When the forensic investigator arrives, what does his workflow look like?
The most important first step is to do a careful analysis of the situation and use your common sense and experience to make an educated decision about the actions to take.
Even in such an apparently simple scenario, there are multiple possible variations such as type of incident or crime, corporate environment, operating systems and hardware environment which will determine your course of action. It is important to gather as much information as possible about what happened before you start making any move. So the first step typically is to perform a quick interview of anyone who can provide that information and a review of the crime scene environment.
After that, going down to the technical procedures, the first thing you will do is acquire the volatile evidence first, i.e. that evidence that may disappear or change quickly with your actions such as the information stored in memory, the network connections, running processes, etc. This may or not be easy (or at all possible) depending on the degree of access to the computer. Fortunately for us, the latest advances in forensic research have provided useful techniques that have opened new possibilities for the investigator, such as acquisition of memory through the Firewire port, acquisition of "cold" memory (Cold Boot Attack), advanced analysis of the memory and others.
Then you would do an acquisition of physical storage such as hard drives, USB drives, memory cards and removable disks. There are multiple ways and utilities, hardware and software to do the job: from forensics hard drive duplicators and write blockers, to forensically sound live CDs or software utilities. In the real world some of them will be more suitable than others depending on the situation.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.