Forensic tools
Data collection phase
• tcpdump, dd (dataset definition), etc
Evidences extraction phase
•Wireshark, Autopsy, Encase, etc
•Evidences analysis phase
•Hexeditor, Network Miner
Evidences presentation phase
•Microsoft Power Point, Word, Open Office, etc
51
Collection. The first phase in the process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data. Collection is typically performed in a timely manner because of the likelihood of losing dynamic data such as current network connections, as well as losing data from battery- powered devices
Examination. Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data.
Analysis. The next phase of the process is to analyze the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
Reporting. The final phase is reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.
Specialist "rapid response" by the evidence - digital evidence first responder - DEFR - a person who is authorized, trained and prepared to act first on the scene of the incident, by collecting and obtaining evidence submitted in digital form, and which is responsible for handling these evidence.
.
Specialist of evidence submitted in digital form - DES (digital evidence specialist), - a person who can perform specialist tasks of rapid response, according to the evidence presented in digital form, and that has special knowledge, skills and abilities to understand the broader spectrum issues.
Principle of evidence: the importance (value),
reliability (the processes have to be controlled and repeatable, process results must be reproducible),
conclusiveness (should be sufficient to evidence data)
All processes must be approved prior to use (evidence collection and processing policies)
Key aspects of the handling of evidence:
1.Accountability (подотчетность) - an independent expert assessment, or other interested parties should be able to evaluation activities DEFR and DES. This is achieved by documenting all actions DEFR and DES.
2.Repeatability (повторяемость). The fact of repetition is recognized if the same test results obtained under the following conditions: Using the same procedure and measurement method; use the same tool and the same conditions; possible recurrence at any time after the initial investigation.
Repeatability (повторяемость):
The fact of reproducibility is recognized if the same test results obtained under the following conditions:
-Using the same measurement method
-The use of different tools and different conditions;
-Possible recurrence at any time after the initial investigation.
Justification (обоснование). DEFR must prove that the best method of measurement used.