Technical Procedure for Evidence Search



Similar documents
Computer Forensics Discipline

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Course Title: Computer Forensic Specialist: Data and Image Files

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Digital Forensics. Module 4 CS 996

EnCase 7 - Basic + Intermediate Topics

Excerpts from EnCase Introduction to Computer Forensics

Windows XP File Management

Time Stamp. Instruction Booklet

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

MTA Course: Windows Operating System Fundamentals Topic: Understand backup and recovery methods File name: 10753_WindowsOS_SA_6.

Computer Forensic Capabilities

Digital Forensic Techniques

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

Managing Contacts in Outlook

Acer erecovery Management

MSc Computer Security and Forensics. Examinations for / Semester 1

EnCase v7 Essential Training. Sherif Eldeeb

VOICE IMPROVEMENT PROCESSOR (VIP) BACKUP AND RECOVERY PROCEDURES - Draft Version 1.0

Computer Forensics. Securing and Analysing Digital Information

PRODISC VER. Computer Forensics Family. User Manual. Version 4.8 9/06

Introduction To EnCase 7

InformationNOW SQL 2005 Database Backup and Restoration

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

Forensics on the Windows Platform, Part Two

ITS Spam Filtering Service Quick Guide 2: Using the Quarantine

Oscilloscope System Recovery Tools and Procedures

Stellar Phoenix. SQL Database Repair 6.0. Installation Guide

Microsoft Vista: Serious Challenges for Digital Investigations

Boot Camp Installation & Setup Guide

Procedure for Writing Technical Procedures

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Optional Lab: Data Backup and Recovery in Windows Vista

Filtering Spam Using Outlook s Rule

Outlook basics. Identify user interface elements that you can use to accomplish basic tasks.

C6 Easy Imaging Total Computer Backup. User Guide

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

Virtual Hard Disk Forensics Using EnCase

To successfully initialize Microsoft Outlook (Outlook) the first time, settings need to be verified.

Hands-On Microsoft Windows Server Chapter 12 Managing System Reliability and Availability

Other Procedures That Relate To Using MS Outlook All Of These Procedures Are Available For Download In PDF Format From The Any Key Press Website

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Transferring AIS to a different computer

Paraben s P2C 4.1. Release Notes

Moving your GroupWise archive to Outlook 2010 Key step to take the day after your upgrade

Boot Camp Installation & Setup Guide

STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual

Incident Response and Computer Forensics

information security and its Describe what drives the need for information security.

PGP Desktop Quick Start Guide Version 10.2

4 Backing Up and Restoring System Software

Computer Forensics using Open Source Tools

After going through this lesson you would be able to:

Adding Digital Signature and Encryption in Outlook

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Boot Camp Installation & Setup Guide

Driver Updater Manual

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

Acer erecovery Management

OnBase Quick Reference Guide

Image Backup and Recovery Procedures

Lab - Data Backup and Recovery in Windows Vista

Procedure for the Use of Forensic Advantage (FA)

For Mac User Directions, see page 5

Digital Forensics. Larry Daniel

EC-Council Ethical Hacking and Countermeasures

Guide to Computer Forensics and Investigations, Second Edition

Practice Exercise March 7, 2016

Enterprise Vault Instructions for Saving Items from an archive restored to a secondary mailbox in Microsoft Outlook

Adding Outlook to a Blackberry, Downloading, Installing and Configuring Blackberry Desktop Manager

CTC 328: Computer Forensics

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Image Backup and Recovery Procedures

Understand Backup and Recovery Methods

Exporting from FirstClass

User Manual. Published: 12-Mar-15 at 09:36:51

EaseUS Data Recovery Wizard User Guide

Symantec File Share Encryption Quick Start Guide Version 10.3

6 USING WINDOWS XP 6.1 INTRODUCTION

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Backing up Microsoft Outlook For the PC Using MS Outlook 2000 Keith Roberts

Office365 at Triton College

Database Administration Guide

LTFS for Microsoft Windows User Guide

Fundamental Theory & Practice of Digital Forensics. Training Course

Fixed Destinations. BackupAssist Quick-Start Guide for. BackupAssist installation, configuration and setup.

SonicWALL CDP Local Archiving

Microsoft Outlook 2003 Quick How-to Guide

StarWind iscsi SAN Software: Implementation of Enhanced Data Protection Using StarWind Continuous Data Protection

StarWind iscsi SAN Software: Using StarWind with MS Cluster on Windows Server 2008

Kaseya 2. User Guide. Version 7.0. English

SOLAARsecurity. Administrator Software Manual Issue 2

RAID Utility for Windows

Transcription:

Technical Procedure for Evidence Search 1.0 Purpose - The purpose of this procedure is to provide a systematic means of searching digital evidence in order to find data sought by the search authorization. 2.0 Scope - This procedure describes the steps to be taken by personnel of the State Crime Laboratory in searching computer evidence that is submitted. 3.0 Definitions Forensic drive - Hard drive containing the operating system and all the forensic software that will be used in the examination. Target drive - Drive that holds the forensic image of the suspect drive and the case file containing any evidence found on the subject drive. 4.0 Equipment, Materials and Reagents Forensic Tower or Portable Forensic Workstation Approved Forensic Software 5.0 Procedure 5.1 Read the search authorization (e.g., search warrant or consent) to ensure the scope of search is authorized by the document. Install the forensic drive and the target drive into the forensic tower. 5.2 Ensure that the forensic drive is installed as the primary master and the target drive is installed as either the primary slave, secondary master, or secondary slave. 5.3 Boot the forensic tower from the forensic drive. 5.4 Run approved software to undelete any deleted files and recover files and file fragments from unallocated space. 5.5 The forensic image of the evidence drive shall be examined for the presence of any deleted partitions on the hard drive. If any deleted partitions are noted, these partitions shall be recovered. 5.6 The forensic image of the evidence drive shall be examined for the presence of any deleted folders on the hard drive. Any deleted folders shall be recovered. 5.7 If using EnCase, a file mounter enscript shall be run to mount any zipped or compressed files so that the files contained inside can be examined. 5.8 A signature analysis shall be run on all files in the case prior to the examination of these files. The signature analysis checks the file header information to ensure that the files have not been identified with an incorrect file extension. 5.9 For Cases Involving Images 5.9.1 Computer search software or graphics thumbnail software can be used to view images on a forensic image. Page 1 of 5

5.9.2 A file search can be run to find files with graphics or movie file extensions (e.g.,.jpg,.gif,.bmp,.mov,.mpg,.avi, etc.). 5.9.3 Examine files found for data sought by the search authorization and note in the FA worksheet. 5.10 Data Searches 5.10.1 Use approved forensic search software to perform keyword searches on the forensic image. 5.10.2 Enter keywords such as names, e-mail addresses, dates, or other pertinent keywords which may be used in a file containing data of evidentiary value. 5.10.3 Examine files found for data sought by the search authorization and note in the FA worksheet. 5.11 Image Restore 5.11.1 In order to review the evidence computer as it would have appeared to the user to demonstrate items such as desktop wall paper image or types and arrangement of icons and shortcuts on the desktop, it is acceptable to image the drive again with an approved DOS based imaging program such as SnapBack or to use the restore function in EnCase to restore the EnCase image to a target hard drive. This second image can then be used to boot the evidence computer. 5.12 In EnCase.asf,.max,.mpe,.mpeg,.mpg,.mov,.rm,.ram and.avi files as well as image files in unallocated space are not shown in the gallery view. These files shall be searched and viewed with external viewers. 5.13 EnCase does not display images inside of.zip files in the gallery view unless the ZIP files are first mounted. The examiner shall search for.zip files. These files shall be opened manually or with the File mounter EnScript in EnCase and any images found inside examined. 5.14 EnCase does not display images that are attached to e-mail files (e.g., Outlook Express and AOL e- mail files) prior to version 5. If an Encase version prior to version 5 is being used, the e-mail files shall be recovered to the target drive. These files can be examined by restoring the e-mails to an e- mail account on another computer so that the images attached to the e-mail can be viewed. Alternatively, the examiner may use another tool such as Forensic Tool Kit to examine the case for e- mail. 5.15 Due to the size of modern hard drives, every effort shall be made to search by relevant dates or file types and search by relevant keywords in order to find information sought by the search authorization. 5.16 Microsoft Office 2007 documents are different than previous versions. The Guidance Software website states: Microsoft's Office 2007 documents are stored in what is referred to as the Office Open XML File Format. It is a ZIP file of various XML documents describing the entire document. 5.16.1 In order to view the contents of these files, they shall be mounted like other types of ZIP files. Page 2 of 5

5.16.2 When using version 5 of EnCase, mounting ZIP files will allow viewing of the contents of Office 2007 documents. 5.16.3 When using version 6 of EnCase, select Mount Persistent option inside of the File Mounter EnScript to keep the files mounted after the EnScript completes running. If not, the files will unmount as soon as the EnScript finishes running and it will be necessary to mount the files manually by right clicking and viewing file structure. 5.17 Standards and Controls - A control disk image with a known hash value is used to ensure the proper functioning of forensic computers used in casework. 5.18 Calibrations - The forensic towers used in casework shall be verified each day that they are used to ensure that the computer hardware and software are functioning properly (see the Computer Performance Verification Procedure). 5.19 Maintenance N/A 5.20 Sampling - N/A 5.21 Calculations - N/A 5.22 Uncertainty of Measurement - N/A 6.0 Limitations - N/A 7.0 Safety - N/A 8.0 References EnCase Forensic User Manual EnCase Intermediate Analysis and Reporting Course Guide EnCase Advanced Computer Forensics Course Guide Forensic Toolkit User Guide Forensic Boot Camp Training Manual Computer Performance Verification Procedure 9.0 Records - N/A 10.0 Attachments Attachment A: General Flow Diagram for Computer Forensic Examination Page 3 of 5

Revision History Effective Date 09/17/2012 Version Number Reason 1 Original Document 10/31/2013 2 Added issuing authority to header Page 4 of 5

ATTACHMENT A: Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information