Friday, December 18, 2020

Procedures for proper Digital Forensic Research.

First of use a computer system just for the recovery and not an everyday used computer. After each use of research wipe the computer with Eraser or Minitool with a low-level destruction algorithm (DoD Complaint).  

Next sandbox the computer from any network or internet connection. 

Depending on the device I use Autopsy with plug-ins from Video Triage and the LEO Version of BIN Recovery and a few others. I copy them to a usb drive and install them on the newly reloaded computer. 

Judging from the data or type of device I am having to analyze it from, I create an image of it or a backup of the data type.

Then I process all plug-ins in Autopsy the following is mostly pay more attention too; Keyword Search, Deleted Files, Video Triage, Image Processor, and the Law Enforcement plug-in. 

Depending on the case I would suggest getting a copy of Recuva to also process recovery files. 

 Autopsy will provide you with really reporting tools. Such as meta-data, (Time, Locations) Also you can generate a detailed report of information down to a single day, month, time. 

Then I run the reporting tools finalize the case move all information to external drive and encrypt it, to be handed over to the customer.