|
Computer Forensics JumpStart Authors: Solomon M., Broom N., Barrett D. Published year: 2004 Pages: 65-68/153 |
 |
Terms to Know
forensic suite
Review Questions
-
Which utility, originally created for the Unix platform, copies and converts files using two basic arguments ( if and of )?
-
Which software suite provides an Enterprise Edition that specifically supports volatile data analysis on a live Windows system?
-
Which disk imaging software operates as an extended DOS command shell?
-
What are two common algorithms used to create hash values for drive images?
-
Which forensic software suite integrates the dtSearch engine in its searching function?
-
What two software suites are free?
-
What are two of several vendors of forensic computers?
-
After creating an image of a drive, what must you do to ensure that the copy matches the original?
-
You have many factors to consider when choosing appropriate forensic software. Name two.
-
Which utilities provide comprehensive forensic functionality?
Chapter 9: Pulling It AllTogether
In This Chapter
-
Creating proper and thorough documentation
-
Formulating a concise analysis report summary
-
Exploring model analysis reports and sample reports
-
Using software for creating reports
In the last chapter, you learned about the various types of forensic tools used to gather evidence. Prior to that, you learned about capturing and extracting data. Through each step of the way you should be documenting what you are doing along with the evidence you find. Besides being familiar with the process of gathering information, data, and material that may be related to criminal activity, forensic investigators must also be skilled in the area of documentation. Throughout the forensic process, the investigator has the ability to extract and examine mounds of information. At times, this can be intimidating as well as overwhelming. Somehow, in the end, all of this information has to be processed into a succinct report that is understandable to a judge and jury.
Properly documenting the steps taken during the evidence-gathering process must be a top priority. Good documentation, along with sound forensic procedures, is essential for success in prosecuting computer crime cases. Crucial evidence is subject to question, and the qualifications of the expert witness can become an issue if the computer evidence was not documented systematically. This is why being able to accurately reconstruct an investigation is a critical skill.
It's time to look at what information you might need and how to put all this information together in an analysis report that is concise yet detailed enough to explain your findings. This chapter examines this process and looks at several sample reports so you can get an idea of the type and quality of documentation you will need for your case.
Begin with a Concise Summary
A small hard drive is 10GB. If the contents were printed, it would create a stack of paper approximately 1,111 feet tall. Even though you can't have too much documentation, when it comes to presenting the case, you need balance. You won't want to weed through tons of evidence again later, and you don't want to appear incompetent. For example, if you are asked about log events or a specific activity, you don't want to respond, 'I know that I saw that somewhere.' If the activity is in the Tcpdump log file, you'll need to be able to locate it again.
Often lawyers may want to have electronic evidence produced for them in paper format. A complete forensic analysis report can usually be stored on a single CDROM. Evidence is much simpler to handle in electronic form, where it can be filed, cross-referenced, and indexed. Most law firms now have the technology to do this. Various software programs, such as Summation, allow the evidence to be processed in a more efficient way than paper format. Additional information on Summation can be found at http:// info .summation.com/products .
Kroll Ontrack is another software program that attorneys use. It provides software tools that allow you to view, search, sort , bookmark, and generate reports on the data after the evidence is extracted. Kroll Ontrack offers ElectronicData- Investigator free of charge to all of its computer forensics customers. For more information on the services that Kroll Ontrack provides, go to http://www.krollontrack.com .
Evidor serves as an automated forensic examiner . It can come in handy during civil litigation when one party wants to examine the other party's computers. Both WinHex and Evidor are products of X-Ways Software Technology AG. You can find them at http://www.sf-soft.de/evidor/index.htm and http://www.sf-soft.de/winhex/index-m.html .
When you are formulating a concise report, it is important to:
-
Understand the importance of the reports
-
Limit the report to specifics
-
Design the layout and presentation in an easy-to-understand format
-
Understand the difference between litigation support reports and technical reports
-
Write clearly
-
Provide supporting material
-
Explain the methods used in data collection
-
Explain results
The basic guidelines for your reports should be to document your steps clearly, organize the report by using a template, and be consistent. Documenting in a clear and concise manner helps ensure that the details can be recalled or conveyed when the need arises. In order to do this though, the scope of your original documentation must be broader and you should document every step of the process.
|
Computer Forensics JumpStart Authors: Solomon M., Broom N., Barrett D. Published year: 2004 Pages: 65-68/153 |
|
