In part one of the Sniper Forensics post we discussed the history of forensic methodology specifically focusing on Occam’s Razor, Locard’s Exchange Principle, and The Alexiou Principle. In part two, we will move from theory into action in Target Acquisition.
Before we start to put anything in our cross hairs, we first need establish our investigation plan. A clear and concise plan will provide you with the direction in which to start the investigation, as well as the success indicators you will need to determine when you found whatever it is that you are looking for.
This is arguably the most critical step in the entire investigation, so take it seriously and really put some thought into developing your plan. You cannot simply load your forensic images into a tool like EnCase or FTK and click the “Find All Evidence” button. It doesn’t work like that. Your tools, however many you have, are nothing more than things that do stuff (very technical I know). The key is knowing what you want to do, knowing which tool does that thing the best, knowing how to use that tool, and knowing what the output means. Don’t forget, you will also explain what you just did and why to a third party. Remember, people take the stand…not tools! Knowing how to use EnCase or FTK no more makes you a forensic investigator than knowing how to use MS Word makes you Stephen King.
Here is a great example to illustrate the point I am making. One day, I was headed out with my wife and two children. When I pressed the button to open my garage door, one of the rollers got stuck in the track and the entire thing came crashing down on our car. Now, for those of you that don’t know, I used to be a US Army Warrant Officer…so I have a garage full of tools, all mounted on a pegboard, dress right dress, with white tape outlines. I looked at my tools…looked at a garage door in a heap on my car, and realized I had no idea how to fix this thing.
I called a repairman who shows up with a hammer and a flat tip screwdriver. I was thinking, “c’mon dood…you need more than that”! Instead, I politely asked him if he needed anything? He reassured me that he did not, and that if I gave him about ten minutes, he would have my garage door repaired. Skeptical, I went back into the house, played Wii with my kids for about ten minutes and went back outside to find my garage door completely fixed and working again.
The takeaway here is simple…know how to use your tools effectively! It’s far better to have fewer tools and know how to use them than it is to have a tool box bursting with tools you have no idea how to use.
The first tool we will use is Case Notes. Case Notes is a free tool provided by QCC Information Security (http://www.qccis.com/forensic-tools), that is absolutely essential for any forensic investigator. It allows customizable tabs, timestamps your entries, and even has an encryption option if you want or need to encrypt and password protect your notes. By default the tool uses the term, “Case Notes” as your main panel. I use the custom tab option to set four additional tabs titled “Exhibit List”, “Dirty Words”, “Questions”, and “Investigation Plan” (but you can use whatever terms you are comfortable with). Once you set your case specific information, move to the Investigation Plan tab and record what you have been hired to do. What is the “incident”? What are the expectations placed on you by the customer? What actions do you need to take to meet those expectations? Note that this is a fluid process. As your investigation leads you in and out of various theories, make sure to record the associated questions under your “Questions” tab, as well as the answers the data provides. This may seem like a lot of work up front, but it is a proven methodology and has worked effectively for us on more than 400 cases.
The next step is to set up your forensic workstation. Create a directory for the case, and four directories (for the purposes of this example, we will use the customer name Acme):
Within these directories, create a separate directory for all systems involved in the incident (for the purposes of this example, we will use the hostnames, “Bugs”, “Daffy”, and “Elmer”.
The final step in preparing our workstation is to extract the following files from each image:
C:\Documents and Settings\\NTUSER.DAT ← Repeat for all users
Now that your forensic workstation has been set up, you are ready start “Sniping”! In part three of this series, I will cover the “trigger squeeze” of Sniper Forensics…actually DOING the work!
Don’t miss it!