Aspire Tech 8 Steps Methodology for Computer Forensics & Investigation
Accepted methods and procedures to properly seize, safeguard, analyze data and determine what happen. Actionable information to deal with computer forensic cases. Repeatable and effective steps. It’s a good way to describe the Aspire’s methodology for IT Forensic investigations. It is an 8 steps methodology. It will help the investigator to stay on track and assure proper presentation of computer evidence for criminal or civil case into court, legal proceedings and internal disciplinary actions, handling of malicious software, virus, Malware, Trojans, exploits, spyware, ransomware, zero-day threats and other cyber-crime incidents and unusual operational problems. Furthermore, is a good starting point in order to have a reasonable knowledge of forensic principles, guidelines, procedures, tools and techniques.
The purpose of these 8 steps is to respond systematically to forensic investigations and determine what happen. Below a short and high level introduction of the 8 Computer Forensic Investigation steps:
Verification: Normally the computer forensics investigation will be done as part of an incident response scenario, as such the first step should be to verify that an incident has taken place. Determine the breadth and scope of the incident, assess the case. What is the situation, the nature of the case and its specifics? This preliminary step is important because will help determining the characteristics of the incident and defining the best approach to identify, preserve and collect evidence. It might also help justify to business owners to take a system offline.
System Description: Then it follows the step where you start gathering data about the specific incident. Starting by taking notes and describing the system you are going to analyze, where is the system being acquired, what is the system role in the organization and in the network. Outline the operating system and its general configuration such as disk format, amount of RAM and the location of the evidence.
Evidence Acquisition: Identify possible sources of data, acquire volatile and non-volatile data, verify the integrity of the data and ensure chain of custody. One suggested order in which volatile data should be acquired is network connections, ARP cache, login sessions, running processes, open files and the contents of RAM and other pertinent data – please note that all this data should be collected using trusted binaries and not the ones from the impacted system.
Timeline Analysis: After the evidence acquisition you will start doing your investigation and analysis in your forensics lab. Start by doing a timeline analysis. This is a crucial step and very useful because it includes information such as when files were modified, accessed, changed and created in a human readable format, known as MAC time evidence.
Media and Artifact Analysis: In this step that you will be overwhelmed with the amount of information that you could be looking at. You should be able to answer questions such as what programs were executed, which files were downloaded, which files were clicked on, witch directories were opened, which files were deleted, where did the user browsed to and many others. Other things that you will be looking is evidence of account usage, browser usage, file downloads, file opening/creation, program execution, usb key usage. Memory analysis is another key analysis step in order to examine rogue processes, network connections, loaded DLLs, evidence of code injection, process paths, user handles, mutex and many others.
String or Byte search: This step will consist into using tools that will search the low level raw images. If you know what you are looking, then you can use this method to find it. Is this step that you use tools and techniques that will look for byte signatures of know files known as the magic cookies. It is also in this step that you do string searches using regular expressions. The strings or byte signatures that you will be looking for are the ones that are relevant to the case you are dealing with.
Data Recovery: This is the step that you will be looking at recover data from the file system. Analyzing the slack space, unallocated space and in-depth file system analysis is part of this step in order to find files of interest. Carving files from the raw images based on file headers using tools like foremost is another technique to further gather evidence.
Reporting Results: The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process. Reporting the results is a key part of any investigation. Consider writing in a way that reflects the usage of scientific methods and facts that you can prove. Adapt the reporting style depending on the audience and be prepared for the report to be used as evidence for legal or administrative purposes.
Forensic Lab Policy
A clearly stated forensics policy would greatly clarify what needs to be preserved and for which set of events. So, how does one define a forensics policy addressing forensic readiness for a given system? The following process assists in defining a forensics policy that addresses forensic readiness requirements:
Below given an example for forensic policy:
- Identify digital assets that have value.
- Perform a risk assessment for potential loss and threat to those assets.
- Remove assets that do not warrant the effort of prosecution.
- Identify associated data needed for these assets along with collection and storage needs.
- Write the forensic policy in terms of digital assets, forensic events, data collection and storage.
- Ensure adequate forensics policy enforcement is in place.
- All access to Oracle DB must be monitored.
- Access logs and Administration logs to Oracle DB will be preserved for no less than one year.
- Access and activity to Web server is monitored.
- Apache Web server logs will be preserved for 6 months
- Firewall and Snort logs will be preserved for one year.
- Router logs will be preserved for 6 months.
- Network will be tested every 6 months for congestion situation by overloading it until it begins to drop traffic
- Network capacity will be increased before traffic hits the level where packets will be dropped
Aspire Tech's Cyber Security Solution for Forensic Lab
The Cyber Security Act of 2010 in the United States also illustrates the expansive and dynamic nature of the subject and concerns. Under this umbrella, the agencies reference a number of presidential directives, standards and guidelines to address a range of cybersecurity challenges inducing uniform physical access, disaster recovery and business continuity, intrusion detection and prevention, identity proofing and access, provisioning, dc-provisioning and role based access, secure encrypted communication, Public Key Infrastructure, data loss prevention and encrypted data storage, forensic analysis and advanced pattern matching for network traffic and security awareness training while addressing privacy and legal concerns.
Aspire Tech has been supporting large scale enterprise institutions including critical and defense government organizations with requirements gathering, business and technical analysis, solution design, deployment and operation of each one of these significant areas of concern.
Aspire Tech brings an international view toward its subject matter expertise through extensive experience in USA and Europe. AspireTech along with one other company has supported a critical Cisco sponsored project in Saudi Arabia to address emergency incidence response requirements. The solution addressed both manmade and natural disasters by providing an integrated communication platform for collaboration across division of Saudi Government first responders to include police, firemen and paramedic forces.
Aspire Tech is offering its substantial expertise in this area to the US government with a phased approach for a comprehensive solution to strengthen the protection of its digital and IT asses.
Digital Forencis Tools
We have following Forensic Tools that can help you to gather information and help you to solve your troubles :
- Antivirus Tool
- Antivirus Firewalls
- Data security Tools
- Windows Forensics Tools
- Linux Forensics Tools
- Mac Forensics Tools
- Belkaoft Evidence Center
- Belkasoft Acquisition Tool
- Belkasoft RAM Capturer
Mobile Forensics Tools
Password Recovery Tools
- Pdf, Doc, Ppt, Office Files
- Browser Password Recovery
- System Password Recovery
- Router Password Recovery
- Hardisk Cloning
- External and Internal Cloning Tools
- System Cloning
- Mobile Phone Cloning
- Memory Cards Cloning
- Network Tools
- Security Tools