Starting a forensic investigation – what to know?

When you are handed a hard drive or a laptop and management tells you to cast your spell of forensics final report on it, what are some things that you need to know before you begin?  If it’s for a legal case, are there questions you should ask before you get your hands dirty?  Perhaps whether you’re allowed to know specific details, or whether they want you in the dark so you don’t find evidence for the sake of finishing faster and making everyone happy?

I put this out there for open discussion, because sometimes we are given nothing and expected to figure everything out immediately.

3 responses to “Starting a forensic investigation – what to know?”

  1. Mark says:

    If you are being handed a hard drive or a laptop by “management”, and told that the data will be used for legal purposes, you are likely already behind as it will be difficult to prove where the drive/computer came from and also have a difficult time proving that no one could have modified/tampered with the data.

    Best bet is to forget the technical side of the investigation, and focus on the chain of evidence issues first. There is no point spending time/money carving deleted emails from slack space if judge just throws it out!

    Here is a link that provides some basic information regarding the process – http://all.net/ForensicsPapers/HandbookOfCIS.pdf

  2. Jay says:

    “sometimes” that’s classic cause almost 90% of the time the person handing you the drive says that it’s been compromised with no other details to follow. If the analysis is only being done for malware purposes then the chain-of-custody doesn’t matter however if they think they’ll be able to prosecute over the mishandled drive then they are out of their minds. Thanks for the post Mark!

Leave a Reply