Computer Systems Forensic Analysis

Digital Investigation

Live Analysis

When the operating system or other resources of the system being investigated is used to find evidence.

  • advantages: get data from RAM of a running process

  • disadvantages: risk of getting false information because the software could maliciously hide or falsify data.

Post-mortem analysis

When trusted applications in a trusted operating system are used to find evidence (lab environment).

  • advantages: fully controlled environment.

  • disadvantages: information from RAM is lost, e. g. key to decrypt a file, ...

A post-mortem analysis is more ideal, but not always possible.

Examples

A server has been compromised, how it occurred and who did it?

  • Find data that were created by events related to the incident recover deleted log entries from the server.

  • Find attack tools.

  • Find the vulnerabilities that existed on the server.

  • Using this data, and more, we develop an hypotheses.

    • Which vulnerability the attacker used to gain access.

    • What he/she did afterwards.

  • Later, examine the firewall configuration and logs.

    • Determine that some of the scenarios in our hypotheses are impossible because that type of network traffic could not have existed.

    • Evidence was found that refutes one or more hypotheses.

PreviousDigital ForensicNextDigital Crime Scene Investigation Methodology

Last updated