geschonneck.com » Guidelines

Oracle Database Forensics

Alexander Geschonneck — Tue, 14 Aug 2007 08:16:28 +0000

David Litchfield from NGSSoftware published some new material about Oracle Database Forensics. You can download his whitepaper and the Black Hat slides here.

Good Practice Guide for Computer-Based Electronic Evidence

Alexander Geschonneck — Tue, 31 Jul 2007 10:25:56 +0000

The english Association of Chief Police Officers (ACPO) has released a new guide to collecting electronic evidence. The Good Practice Guide for Computer-Based Electronic Evidence has been revised by experts.

The guidelines relate to:

Personnel attending crime scenes or making initial contact with a victim/witness/suspect
Investigators
Evidence recovery staff
External consulting witnesses

The Good Practice Guide contains the following chapters:

Introduction
The principles of computer-based electronic evidence
Overview of computer-based electronic investigations
Crime scenes
Home networks & wireless technology
Network forensics & volatile data
Investigating personnel
Evidence recovery
Welfare in the workplace
Control of paedophile images
External consulting witnesses & forensic contractors
Disclosure
Retrieval of video & CCTV evidence
Guide for mobile phone seizure & examination
Initial contact with victims: suggested questions
Glossary and explanation of terms
Legislation
Local Hi-Tech Crime Units

You can download the Good Practice Guide for Computer-Based Electronic Evidence here.

Fundamental Computer Investigation Guide For Windows

Alexander Geschonneck — Mon, 29 Jan 2007 23:11:34 +0000

Microsoft published their “Fundamental Computer Investigation Guide For Windows”. The paper discusses processes and tools for use in internal computer investigations for windows systems.

You can find the guide here.

The table of content of the document:

Overview.. 1

Computer Investigation Model 1
Initial Decision-Making Process. 2
Chapter Summary. 3
Audience. 3
Caveats and Disclaimers. 3
References and Credits. 4
Style Conventions. 4
Support and Feedback. 4

Chapter 1: Assess the Situation. 5

Notify Decision Makers and Acquire Authorization. 5
Review Policies and Laws. 6
Identify Investigation Team Members. 7
Conduct a Thorough Assessment 7
Prepare for Evidence Acquisition. 9

Chapter 2: Acquire the Data. 11

Build a Computer Investigation Toolkit 11
Collect the Data. 11
Store and Archive. 13

Chapter 3: Analyze the Data. 15

Analyze Network Data. 15
Analyze Host Data. 16
Analyze Storage Media. 16

Chapter 4: Report the Investigation. 19

Gather and Organize Information. 19
Write the Report 20

Chapter 5: Applied Scenario Example. 23

Scenario. 23
Assess the Situation. 24
Acquire Evidence of Confidential Data Access. 25
Remote Evidence Collection. 28
Local Evidence Collection. 30
Analyze Collected Evidence. 33
Report the Evidence. 36
Applied Scenario Lab Configuration. 37
- Deploy Computers and Create Domain. 37
- Create Users and Groups. 37
- Create Folders and Files. 38
- Assign Sharing and Permissions. 39
- Configure Auditing. 39

Appendix: Resources. 41

Preparing Your Organization for a Computer Investigation. 41
Worksheets and Samples. 42
Reporting Computer-Related Crimes. 42
- Local Law Enforcement Agencies. 43
Training. 45
Tools. 45
- Windows Sysinternals Tools. 46
- Windows Tools. 49

Acknowledgments. 53

Index. 55

NIST Draft on Cell Phone Forensics

Alexander Geschonneck — Wed, 06 Sep 2006 06:20:14 +0000

NIST recently published a new draft on Cell Phone Forensics for public comment.
Download here.