Jeannine Tyler U02A1 IT4075 – Computer Forensics Steven Helwig January 18, 2009
The investigative process will be handled by the company chosen to outsource the function of computer forensic investigation. Most of the working space will be handled by them since they are going to be taking an image of the hard drive and taking it with them. The company should, however, have some kind of area for them in case they need to do some of the work at the company site. It doesn’t need to be a large space because hopefully the company won’t be needing this function that often. It does need to be an area clear enough where they can inspect hardware, should there be a need. This area will be equipped with a table and chair in a quiet area of the building where the investigator can place their tools or various hardware. This can also be a place where the investigator can fill out the necessary company forms that will document his findings while he is doing the investigation. Forms can be found in the Human Resources department.
Since it is not expected that this area will needed on a regular basis, but only needed sporadically, this will not need to be a specific office, but will need to have a door that the investigator could lock, should he need leave items in the room unattended. The room should also be equipped with a fireproof safe and file cabinet in case a fire happens while the investigator has items in the room. The area will need to have no windows, adequate lighting, and a fire extinguisher. This particular room will need to have a dry sprinkler system with a delay to avoid the possibility of damage to hardware or software. It is also important for the investigator to have a reserved parking space that is close to the overhang of the building. This will ensure that no damage comes to the evidence, either from weather such as rain or
wind, but that there is less chance for the investigator to be attacked in the parking lot while trying to recover evidence.
The company will not provide any tools to the investigator, as the investigator will be outsourced and most of the evidence will be processed on their grounds. The investigator needs to be able to analyze data from a range of operating systems since the company uses various ones at different locations and must make sure that they are able to meet the needs of each case. The investigator needs to have a good software suite of tools, like the Encase tool. This tool can not only create an image of the disk but also access, analyze, and provide information about various programs of the disk and its data. The outsourced company will need a tool for preventing the data from getting overwritten and compromised, such as FastBloc. The Encase tool can also be used to analyze the data, but other various tools might be needed for viewing or analyzing specific data. DataLifter or Davory can be used to carve data out of unallocated disk space, joining up fragments of data. Password cracking tools such as AccessData Password Recovery Toolkit need to be used in case the evidence lies within an area that cannot be reached due to a password. The company will want reports not only of the results but also of the investigation that the investigator did. FTK, ILook, and XWays Forensics are tools that logs the investigations that will be conducted. The AccessData Ultimate Toolkit is equipped with a report generator that will create a report of all the data acquired and the analysis that had taken place.
References Berryhill Computer Foresnics (2008). Acquired from the Internet January 9, 2009 from http://www.computerforensics.com/
Enfinger, B., Nelson B., Phillips A., & Steuart C. (2008). Guide to Computer Foresnsics and Investigations, Third Edition. Boston: Course Technology Engage Learning.