Schneier on Security
A blog covering security and security technology.
« Bletchley Park May Close Due to Lack of Funds |
| Airline Fees and Security »
May 30, 2008
Electronic Crime Scene Investigation Handbook
Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, National Institute of Justice, U.S. Department of Justice, April 2008.
Mostly basic stuff.
Posted on May 30, 2008 at 11:01 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Makes you wonder how smart they think "first responders" are.
On another note: What do you do when all your computers are taken away? Do you get replacements?
"Photos used in this document are taken from public Web sites"
So, copyright's OK so long as it's a "public Web site" then. That's a nice useful simplification 8-)
"Types of computers" on page 2 is good for a laugh.
The intent is good, but it reminds me of how far from real "recognition models" we have come.
Those were the good old days:
Good thing they included a visual differentiation of "SCSI HD 68-pin" and "SCSI IDC 50-pin" hard drives.
I know if I were a first responder, I'd wonder if a "SCSI IDC 50-pin" hard drive was of interest, or if only the 68-pin drives mattered for forensic evidence.
The thing phones home to http://www.ojp.usdoj.gov/nij every time it is opened. I guess they want to make sure no shady characters download it.
After all, this was made for the real criminals, the ones that feel they have the right to any computer they can get their hands on, regardless of who the owner is.
I've amassed a considerable amount of anti-forensics knowledge over the years. When I get the time, I'm going to tear these guys apart with my own publications on how to make any forensic investigation grind to a halt.
Just something to look forward to.
It's about time something like this was formalized.
The question now is: how many will actually follow it?
I just wanted to add a correction. It doesn't phone home. My butterfingers probably accidentally clicked the link on the first page.
I like the little table (with the checkmarks) in the old version. It's a nice basic list on how to cover your bases. I should include something like that in my publications.
Wrong wrong wrong: "It seems that the phone home feature was time limited and it doesn't do that any more. Whether this means that the DOJ has backdoors in all common operating systems or just a way of adding secret scripts to PDF documents is unknown at this time." Enough of this admitting to honest mistakes.
You lost me. What are you talking about?
Their "Network storage device" looks IDENTICAL to the external SCSI enclosure I have next to my desk at work.
"In the following situations, immediate disconnection of power is recommended:
■ Information or activity onscreen indicates that data is being deleted or overwritten."
So all I need is a fake data shredder window running constantly. When they rush to turn the computer off, all the encrypted drives are closed. I can't see how that helps...
Darkstar, you are correct. If there is a risk that open encrypted volumes of interest would close on power loss, it is preferable to employ a live forensic tool and not to cut the power. Yes, that's a very tough call for a first responder to make. Then again, LE also has the option of arresting the perp and requesting/coercing the password.
Som lets see hack from your iPhone or your Xbox360 and they will not know its a hacking device....humm. (-:
One question - why would they want communications devices (cell phones) found at the scene to stop receiving calls and text messages? Seems that may actually help the investigation. In fact during one of our investigations we were able to track an outgoing call (into a VPN device) as evidence against the perpetrator.
Overall a first-responder hand-book probably would be more useful if it included clips of CSI and 24. Visual lessons may be more easily recalled during an actual incident.
You want to put any mobile communications device in a Faraday bag immediately. The possibility for remote deletion of data is there, and is of definite concern (this is a standard feature of enterprise iphone deployment afaik). If access to future text messages is really useful, one would assume the appropriate warrant presented to the cellphone carrier would precipitate the needed access.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.