Вы находитесь на странице: 1из 1

DIGITAL FORENSIC

ANALYSIS METHODOLOGY
Last Updated: August 22, 2007

LISTS

Search Leads

PROCESS OVERVIEW
Data Search Leads Comments/Notes/Messages
Generally this involves opening a case file in
the tool of choice and importing forensic
Use this section as
image file. This could also include recreating
needed.
a network environment or database to mimic
the original environment.
Sample Note:
Please notify case agent
Sample Data Search Leads:
when forensic data
2 Identify and extract all email and deleted
OBTAINING & 1 3
CASE- items.
preparation is

FORENSIC PREPARATION FORENSIC Search media for evidence of child


completed.

IMAGING IDENTIFICATION ANALYSIS LEVEL pornography.


REQUEST / EXTRACTION REPORTING Configure and load seized database for
FORENSIC DATA ANALYSIS data mining.
Recover all deleted files and index drive
for review by case agent/forensic
examiner.

Extracted Data
Prepared / Extracted Data Comments/Notes/Messages
Prepared / Extracted Data List is a list of
Use this section as needed.
items that are prepared or extracted to allow
identification of Data pertaining to the
PREPARATION / EXTRACTION IDENTIFICATION ANALYSIS forensic request.
Sample Message:
Numerous files located
in c:\movies directory
Sample Prepared / Extracted Data items:
have .avi extensions but
Start 3
1 Wait for resolution.
2 Start Start Processed hard drive image using Encase
or FTK to allow a case agent to triage the
are actually Excel
spreadsheets.
contents.
Is there Exported registry files and installed
Is there data for analysis/more registry viewer to allow a forensic
No examiner to examine registry entries.
Unprocessed data in the data analysis
No A seized database files is loaded on a
“Prepared/Extracted needed? database server ready for data mining.
Coordinate Data List“?
Does request
with
contain sufficient
No Requester to Yes
information to start
Determine Yes Document this Relevant Data
this process?
next step. Data item and all Relevant Data Comments/Notes/Messages
What relevant relevant meta Who/What Relevant Data List is a list of data that is
Use this section as needed.
relevant to the forensic request. For
type of to the data and Who or what application created, edited, modified, sent, example:
Sample Note:
Yes. item is it. forensic attributes on received, or caused the file to be?
Attachment in
Who is this item linked to and identified with? If the forensic request is finding
request “Relevant Data information relating credit card fraud, any
Outlook.pst>message05
has a virus in it. Make
Setup and validate forensic List”. credit card number, image of credit card,
sure an anti-virus
Where emails discussing making credit card, web
software is installed
hardware and software; Integrity cache that shows the date, time and
Return Where was it found? Where did it come from? search term used to find credit card
before exporting and
create system configuration not OK Does it show where relevant events took place? If item or discovered If new “Data opening it.
package to number program, Etc are Relevant Data as
Identified and recovered
as needed. Incriminating If item can information can Search Leads” evidence. In addition, Victim information
Requester. retrieved is also Relevant Data for purpose
12 emails detailing plan
Information generate new When generate new generated, Start of victim notification.
to commit crime.
If new “Data “Data Search
outside “Data Search When was it created, accessed, modified, received, sent, “PREPARATION /
Search Lead” Leads”, document
scope Leads”, document
viewed, deleted, and launched?
EXTRACTION”.
Duplicate and verify is generated, Start Does it show when relevant events took place? new leads to
of the new leads to
integrity of “PREPARATION / Time Analysis: What else happened on the system at
“Data Search Lead
warrant “Data Search same time? Were registry keys modified?
“Forensic Data”? EXTRACTION”. List”. New Data Source Leads
Lead List”. New Source of Data Leads Comments/Notes/Messages
Integrity OK How This is self explanatory. Use
New Source of Data Lead List is a list of data
How did it originate on the media? this section as needed.
Data NOT How was it created, transmitted, modified and used?
that should be obtained to corroborate or
further investigative efforts.
relevant Does it show how relevant events occurred? Sample Notes:
Organize / Refine If item or discovered If “New Source of During forensic analysis of
to forensic Sample New Source of Data Leads:
subject John Doe’s hard
forensic request and information can generate Data Lead”
request Associated Artifacts and Metadata If item or discovered If “New Source Email address: Jdoe@email.com.
drive image on credit card
select forensic tools. “New Source of Data”, generated, Start Server logs from FTP server.
fraud, a email message
document new lead on “OBTAINING &
Registry entries. information can generate of Data Lead” Subscriber information for an IP address.
revealed that Jane Doe
Application/system logs. asks John Doe for payment
Stop! “New Source of Data IMAGING “New Source of Data”, generated, Start Transaction logs from server.
on credit card printing
Notify Lead List”. FORENSIC DATA“. document new lead on “OBTAINING & machine.
Yes Other Connections “New Source of Data IMAGING
Extract data requested appropriate Do the above artifacts and metadata suggest links to any
personnel; wait Lead List”. FORENSIC DATA”.
other items or events?
Add Extracted data to Is there for instruction What other correlating or corroborating information is
“Prepared /Extracted more “Data Consider there about the item? Analysis Results
Search Lead” for What did the user do with the item?
Data List”. Advising Analysis Results Comments/Notes/Messages
processing? Requester of Analysis Result List is a list of meaningful Use this section as needed
initial findings Identify any other information that is data that answers the who, what, when,
relevant to the forensic request. Mark “Relevant
where and how questions in satisfying the
forensic request.
Sample Notes:
1. 10.dat, message5.eml
No Data” item and stegano.exe show that
Sample Analysis Results: John Doe used
Mark “Data Search Lead” Use timeline and/or other methods to processed on Start 1. \Windows\$NtUninstallKB887472$\ steganography tool to
processed on “Data Mark item processed on If there is data for document findings on “Analysis Results “Relevant Data “FORENSIC 10.dat hides a ten dollar image in

Search Lead List”. Start “Prepared/Extracted analysis, Start List”. List”. REPORTING” to
\data\sentbox.dbx\message5.eml 10.dat at 11:03 PM 01/05/
\Special Tools\stegano.exe 03 and emailed it to Jane
“IDENTIFICATION”. Data List“. “ANALYSIS” Document Findings. Doe at 11:10 PM 01/05/03.
Modified and emailed img to ...

1/4/03 1/5/03
Return On Investment (Determine when to stop this process. Typically, after enough evidence is obtained for prosecution, the value of additional forensic analysis diminishes.)
01000100010011110100101000100000010000110100001101001001010100000101001100100000010011110111011001101001011001010010000001000011011000010111001001110010011011110110110001101100001000000110000101101110011001000010000001010100011010000110111101101101011000010111001100100000010100110110111101101110011001110010000001000100010011110100101000100000010000110100001101001001010100000101001100100000
Department of Justice (DOJ)
Computer Crime and intellectual Property Section (CCIPS)
Cybercrime Lab
http://www.cybercrime.gov
(202) 514-1026