Best Practices for Computer Forensics in the Field

Introduction

Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeatable reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best evidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are meant to be reviewed and applied based on the specific needs of the organization, the case and the case setting.

Job Knowledge

An examiner can only be so informed when they walk into a field setting. In many cases, the client or the client's representative will provide some information about how many systems are in question, their specifications, and their current state. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, cracking laptop computers, password hacking and device interfaces. A seizure that brings the equipment back to the lab should always be the first line of defense, providing maximum flexibility. If you must perform onsite, create a comprehensive working list of information to be collected before you hit the field. The list should be comprised of small steps with a checkbox for each step. The examiner should be completely informed of their next step and not have to "think on their feet."

Overestimate

Overestimate effort by at least a factor of two the amount of time you will require to complete the job. This includes accessing the device, initiating the forensic acquisition with the proper write-blocking strategy, filling out the appropriate paperwork and chain of custody documentation, copying the acquired files to another device and restoring the hardware to its initial state. Keep in mind that you may require shop manuals to direct you in taking apart small devices to access the drive, creating more difficulty in accomplishing the acquisition and hardware restoration. Live by Murphy's Law. Something will always challenge you and take more time than anticipated -- even if you have done it many times.

Inventory Equipment Most examiners have enough of a variety of equipment that they can perform forensically sound acquisitions in several ways. Decide ahead of time how you would like to ideally carry out your site acquisition. All of us will see equipment go bad or some other incompatibility become a show-stopper at the most critical time. Consider carrying two write blockers and an extra mass storage drive, wiped and ready. Between jobs, make sure to verify your equipment with a hashing exercise. Double-Check and inventory all of your kit using a checklist before taking off.

Flexible Acquisition

Instead of trying to make "best guesses" about the exact size of the client hard drive, use mass storage devices and if space is an issue, an acquisition format that will compress your data. After collecting the data, copy the data to another location. Many examiners limit themselves to traditional acquisitions where the machine is cracked, the drive removed, placed behind a write-blocker and acquired. There are also other methods for acquisition made available by the Linux operating system. Linux, booted from a CD drive, allows the examiner to make a raw copy without compromising the hard drive. Be familiar enough with the process to understand how to collect hash values and other logs. Live Acquisition is also discussed in this document. Leave the imaged drive with the attorney or the client and take the copy back to your lab for analysis.

Pull the Plug

Heated discussion occurs about what one should do when they encounter a running machine. Two clear choices exist; pulling the plug or performing a clean shutdown (assuming you can log in). Most examiners pull the plug, and this is the best way to avoid allowing any sort of malevolent process from running that may delete and wipe data or some other similar pitfall. It also allows the examiner access to create a snapshot of the swap files and other system information as it was last running. It should be noted that pulling the plug can also damage some of the files running on the system, making them unavailable to examination or user access. Businesses sometimes prefer a clean shutdown and should be given the choice after being explained the impact. It is critical to document how the machine was brought down because it will be absolutely essential knowledge for analysis.

Live Acquisitions

Another option is to perform a live acquisition. Some define "live" as a running machine as it is found, or for this purpose, the machine itself will be running during the acquisition through some means. One method is to boot into a customized Linux environment that includes enough support to grab an image of the hard drive (often among other forensic capabilities), but the kernel is modified to never touch the host computer. Special versions also exist that allow the examiner to leverage the Window's autorun feature to perform Incident Response. These require an advanced knowledge of both Linux and experience with computer forensics. This kind of acquisition is ideal when for time or complexity reasons, disassembling the machine is not a reasonable option.

The Fundamentals

An amazingly brazen oversight that examiner's often make is neglecting to boot the device once the hard disk is out of it. Checking the BIOS is absolutely critical to the ability to perform a fully-validated analysis. The time and date reported in the BIOS must be reported, especially when time zones are an issue. A rich variety of other information is available depending on what manufacturer wrote the BIOS software. Remember that drive manufacturers may also hide certain areas of the disk (Hardware Protected Areas) and your acquisition tool must be able to make a full bitstream copy that takes that into account. Another key for the examiner to understand is how the hashing mechanism works: Some hash algorithms may be preferable to others not necessarily for their technological soundness, but for how they may be perceived in a courtroom situation.

Store Securely

Acquired images should be stored in a protected, non-static environment. Examiners should have access to a locked safe in a locked office. Drives should be stored in antistatic bags and protected by the use of non-static packing materials or the original shipping material. Each drive should be tagged with the client name, attorney's office and evidence number. Some examiners copy drive labels on the copy machine, if they have access to one during the acquisition and this should be stored with the case paperwork. At the end of the day, each drive should link up with a chain of custody document, a job, and an evidence number.

Establish a Policy

Many clients and attorneys will push for an immediate acquisition of the computer and then sit on the evidence for months. Make clear with the attorney how long you are willing to maintain the evidence at your lab and charge a storage fee for critical or largescale jobs. You may be storing critical evidence to a crime or civil action and while from a marketing perspective it may seem like a good idea to keep a copy of the drive, it may be better from the perspective of the case to return all copies to the attorney or client with the appropriate chain of custody documentation.

Conclusion

Computer examiners have many choices about how they will carry out an onsite acquisition. At the same time, the onsite acquisition is the most volatile environment for the examiner. Tools may fail, time constraints can be severe, observers may add pressure, and suspects may be present. Examiners need to take seriously the maintenance of their tools and development of ongoing knowledge to learn the best techniques for every situation. Utilizing the best practices herein, the examiner should be prepared for almost any situation they may face and have the ability to set reasonable goals and expectations for the effort in question.

Best Practices for Computer Forensics in the Field

Introduction

Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeatable reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best evidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are meant to be reviewed and applied based on the specific needs of the organization, the case and the case setting.

Job Knowledge

An examiner can only be so informed when they walk into a field setting. In many cases, the client or the client's representative will provide some information about how many systems are in question, their specifications, and their current state. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, cracking laptop computers, password hacking and device interfaces. A seizure that brings the equipment back to the lab should always be the first line of defense, providing maximum flexibility. If you must perform onsite, create a comprehensive working list of information to be collected before you hit the field. The list should be comprised of small steps with a checkbox for each step. The examiner should be completely informed of their next step and not have to "think on their feet."

Overestimate

Overestimate effort by at least a factor of two the amount of time you will require to complete the job. This includes accessing the device, initiating the forensic acquisition with the proper write-blocking strategy, filling out the appropriate paperwork and chain of custody documentation, copying the acquired files to another device and restoring the hardware to its initial state. Keep in mind that you may require shop manuals to direct you in taking apart small devices to access the drive, creating more difficulty in accomplishing the acquisition and hardware restoration. Live by Murphy's Law. Something will always challenge you and take more time than anticipated -- even if you have done it many times.

Inventory Equipment Most examiners have enough of a variety of equipment that they can perform forensically sound acquisitions in several ways. Decide ahead of time how you would like to ideally carry out your site acquisition. All of us will see equipment go bad or some other incompatibility become a show-stopper at the most critical time. Consider carrying two write blockers and an extra mass storage drive, wiped and ready. Between jobs, make sure to verify your equipment with a hashing exercise. Double-Check and inventory all of your kit using a checklist before taking off.

Flexible Acquisition

Instead of trying to make "best guesses" about the exact size of the client hard drive, use mass storage devices and if space is an issue, an acquisition format that will compress your data. After collecting the data, copy the data to another location. Many examiners limit themselves to traditional acquisitions where the machine is cracked, the drive removed, placed behind a write-blocker and acquired. There are also other methods for acquisition made available by the Linux operating system. Linux, booted from a CD drive, allows the examiner to make a raw copy without compromising the hard drive. Be familiar enough with the process to understand how to collect hash values and other logs. Live Acquisition is also discussed in this document. Leave the imaged drive with the attorney or the client and take the copy back to your lab for analysis.

Pull the Plug

Heated discussion occurs about what one should do when they encounter a running machine. Two clear choices exist; pulling the plug or performing a clean shutdown (assuming you can log in). Most examiners pull the plug, and this is the best way to avoid allowing any sort of malevolent process from running that may delete and wipe data or some other similar pitfall. It also allows the examiner access to create a snapshot of the swap files and other system information as it was last running. It should be noted that pulling the plug can also damage some of the files running on the system, making them unavailable to examination or user access. Businesses sometimes prefer a clean shutdown and should be given the choice after being explained the impact. It is critical to document how the machine was brought down because it will be absolutely essential knowledge for analysis.

Live Acquisitions

Another option is to perform a live acquisition. Some define "live" as a running machine as it is found, or for this purpose, the machine itself will be running during the acquisition through some means. One method is to boot into a customized Linux environment that includes enough support to grab an image of the hard drive (often among other forensic capabilities), but the kernel is modified to never touch the host computer. Special versions also exist that allow the examiner to leverage the Window's autorun feature to perform Incident Response. These require an advanced knowledge of both Linux and experience with computer forensics. This kind of acquisition is ideal when for time or complexity reasons, disassembling the machine is not a reasonable option.

The Fundamentals

An amazingly brazen oversight that examiner's often make is neglecting to boot the device once the hard disk is out of it. Checking the BIOS is absolutely critical to the ability to perform a fully-validated analysis. The time and date reported in the BIOS must be reported, especially when time zones are an issue. A rich variety of other information is available depending on what manufacturer wrote the BIOS software. Remember that drive manufacturers may also hide certain areas of the disk (Hardware Protected Areas) and your acquisition tool must be able to make a full bitstream copy that takes that into account. Another key for the examiner to understand is how the hashing mechanism works: Some hash algorithms may be preferable to others not necessarily for their technological soundness, but for how they may be perceived in a courtroom situation.

Store Securely

Acquired images should be stored in a protected, non-static environment. Examiners should have access to a locked safe in a locked office. Drives should be stored in antistatic bags and protected by the use of non-static packing materials or the original shipping material. Each drive should be tagged with the client name, attorney's office and evidence number. Some examiners copy drive labels on the copy machine, if they have access to one during the acquisition and this should be stored with the case paperwork. At the end of the day, each drive should link up with a chain of custody document, a job, and an evidence number.

Establish a Policy

Many clients and attorneys will push for an immediate acquisition of the computer and then sit on the evidence for months. Make clear with the attorney how long you are willing to maintain the evidence at your lab and charge a storage fee for critical or largescale jobs. You may be storing critical evidence to a crime or civil action and while from a marketing perspective it may seem like a good idea to keep a copy of the drive, it may be better from the perspective of the case to return all copies to the attorney or client with the appropriate chain of custody documentation.

Conclusion

Computer examiners have many choices about how they will carry out an onsite acquisition. At the same time, the onsite acquisition is the most volatile environment for the examiner. Tools may fail, time constraints can be severe, observers may add pressure, and suspects may be present. Examiners need to take seriously the maintenance of their tools and development of ongoing knowledge to learn the best techniques for every situation. Utilizing the best practices herein, the examiner should be prepared for almost any situation they may face and have the ability to set reasonable goals and expectations for the effort in question.

How To Be An Entrepreneur - What Is An Affiliate?

How Entrepreneurs Sell as Affiliates

A great number of products and services can be sold online though affiliate marketing. Major companies sell some of the highest paying products in very competitive niches in this manner. Forums are a good niche to promote by using free online tools for researching. Software, hosting services, and computers are some of the highest paying products for an affiliate to promote.

Affiliate Marketing Services for Entrepreneurs

Affiliate marketing services are simply selling other companies' products and services for money as an independent contractor. This is a great option for an affiliate that does not have their own product offerings. Customer service and other transactions are handled directly by the company. You simply refer a potential customer to the company and if they buy the product then the you earn a commission.

New Affiliate Entrepreneurs

Many new affiliates start by promoting product and services that they like and understand. A blog is a good tool to promote the respective product or service. Typically a list is built of interested potential customers and product is then promoted by sending a series of emails to the potential customer through an auto-responder. The auto-responder will have 6 to 12 pre-loaded email messages that describe the features and benefits. A sale will take place usually around the 7th to 9th email and the affiliate will make a commission for the sale referred. Depending on the company, a minimum amount may have to be reached before receiving payment.

Entrepreneur Affiliates as Independent Contractors

Companies often prefer working with independent contractors to promote and sell their products, simply because it is easier than staffing and managing their own internal work force. Affiliates earn a percentage of the sale and it makes for an easy transaction for the company. Many affiliates first purchase their product to thoroughly understand the features and benefits. It has been demonstrated that a great can be learned to better represent and promote the product.

How Entrepreneur Affiliates Make Money

Finding a profitable niche with high converting products is the key for an affiliate to making money. Also, it is key to learn as many techniques as possible to generate traffic to your own affiliate pages to increase commissions earned per sale. Once these basic skill sets are mastered, you will be able to market, promote and sell a company's product and services as an affiliate.

SELLING INNER SECRETS

Today, humanity is unaware that typical society behaviors are directly from nature's original design of the human brain and consciousness. This bicameral mentality has entrapped the mindset of many. They desire leaders, authority figures and idols. These same people thrive in government rule and religion.

Secret. Free yourself of the bicameral mindset. In order to excel in sales one must remove all mysticism, religious beliefs, and all other non-productive behavior patterns that lead to stress related failure and defeat. Successful selling is a achieved by process, not by luck, circumstance or wishful thinking. Process.

Affiliate Marketing Tips - How to Chose Your Nice   Affiliate Success and Multiple Sources of Income   Tools for Affiliate Marketing   A Few of the Best Ways to Make Money Online   

5 Fail-Safe Cash-Generating Strategies - Make Tons of Money Online From the Comfort of Your Home

I will share with you some fundamental ways to make money online. People are still using these same strategies and are generating income at home without having the hassle of running out the house early in the morning to a job.

This is a key for success in internet marketing and I hope it's of great value to you. Use any one of these forms of cash generating strategies and work from the comfort of your home!

Blogging: Blogging daily is not a get rich scheme like most things, but if you are consistent with this the search engines will start ranking your post and you will start seeing a spike in traffic to your blog!

Most people do not reap any benefits from this because they aren't consistent with it. This principal is with most things in life. If you can endure and be consistent then you will be amazed at the results you can reap from this!

This is especially true if you write one or two post every day for 3 months!

SEO: SEO is a world all by itself but learn these fundamental techniques and you will be a magician at getting top rankings at will. The business opportunities for this are endless. You can have your own local SEO Company; do SEO marketing for a fee or simply rank your own website with your own offers!

Sell Physical Products: Selling physical products are big business and you can make a very aggressive income from this. Every one buys physical products and it just won't ever go away. The big players in this arena are Amazon, Walmart, As Seen on TV, Target and Staples.

PLR Products: This stands for (private label rights) this allows you to own what someone else created. You can then have the right to put your own label on it and sell it again as your own product. People are making a killing of this right now and you can too!

Click bank Reviews: ClickBank is the largest information vendor online. They have been around since I can remember and they aren't going anywhere. People love information; they love pdf and online digital products. I'm sure you have heard of ClickBank already.

You can check for the new product lists daily on ClickBank and write a review on them. Rank this review in the search engines and get views and sales to the products.

If you start this early enough there is no competition because there is no one else competing for it!

Affiliate Marketing Tips - How to Chose Your Nice   Affiliate Success and Multiple Sources of Income   Tools for Affiliate Marketing   A Few of the Best Ways to Make Money Online   How to Start an Online Business Through Affiliate Marketing