My Road to Digital Forensics Excellence

Archive for the ‘Incident Response’ Category


Posted by Paul Bobby on March 19, 2010

Kristinn has developed a great tool, and it has been discussed in many places. Timeline analysis is becoming the phrase of the year along with APT, and while timeline analysis is commonplace in my caseload, I decided to give this tool a run – mainly because it has an output mechanism to feed the SIMILE timeline widget 🙂

I had to fix a couple of code issues – one with the input mechanism for reading TLN formatted data, and one with the new file to read McAfee logs. My next goal is to get it to work under Cygwin since for right now I can only get it working under Ubuntu running in a virtual machine.

Encase has the ability to mount evidence using a VFS or PDE mechanism (network share versus emulated disk drive). There are pros and cons in both methods, VFS lets me get to the System Restore points, PDE lets me traverse the tree structure properly when sharing this PDE mounted evidence through SharedFolders in VMWare.

The problem with VFS is that I can’t traverse the tree properly when sharing this mounted file system through VMWare. The problem with PDE is that the System Restore point area is not visible to VMWare.

The issue is still present when mounting using Mount Image Pro.

And I can only get this far if I run VMWare as an administrator. I’m running Vista 64bit, perhaps this issue will go away if I use Windows XP as the host OS. Anyway, that’s too much to change.

So for right now my solution is to identify Log2timeline input files in Encase. Enscript to the rescue. My next post will include this detail. The idea is to traverse the evidence tree and bookmark all files that can be processed by Log2timeline. The investigator then reviews these bookmarks, tags files, and considers exporting to LEF, Copy/Unerasing or Copy Folders as an option to extract data.


Posted in EnCase, Incident Response | 3 Comments »

Investigators Notebook

Posted by Paul Bobby on June 1, 2009

My Microsoft Onenote notebook has gotten a little bit of attention recently.

A thread at Digital Detective discusses case tracking, but more specifically methods and tools for tracking the contents of one single case. I offered up my MS Onenote, but other options discussed are Paper and Pencil, John Douglas’s CaseNotes and something called SUPERtext (which I haven’t tried yet).

If you’re interested in my Microsoft Onenote, I am hosting it here.

The second thread is at the forums of Forensic Focus entitled Case Management Tool. While not exactly a Case Management Tool, the onenote is ideal for the tracking the contents of a single case.

Posted in Incident Response, State of Affairs | Leave a Comment »

Repeatable Analysis Steps for Statusing

Posted by Paul Bobby on March 19, 2009

A frequently asked question in class and on forensic forums is “What steps should I take when conducting analysis?” I have blogged on this before, and provided several approaches to case analysis.

This time, let us consider the requirement of case status. Whether in law enforcement or in the corporate realm there is a dual-role requirement for investigations. This dual role separates the investigator from the examiner; typically one investigator, and one or more examiners. The dual role provides a separation of duties, but also permits the agency or corporation to maintain expertise in investigations separate from expertise in forensic examination. I consider these to be highly valued skills, and the individual capable of performing on both to excellence is held in high regard.

The timeframe for corporate investigations is much shorter when compared to law enforcement often days or weeks versus months or years. Regardless of the timeframe, the investigator has an insatiable appetite for progress and status. How does the examiner provide adequate status to the investigator?

One method is to leverage the concept of repeatable forensic analysis steps and combine those with a standard 0% through 100% qualifier:  we have the beginnings of a repeatable status metric.

  • NA: Task not applicable
  • 0%: Task not yet started
  • 33%: Task started
  • 66%: Data collected
  • 100%; Ready for final report

What tasks? Well, look at my previous investigation posts and the Microsoft Onenote I use to support investigations. These contain a variety of ideas for repeatable forensic analysis.

What are your thoughts?

Posted in Incident Response | Leave a Comment »

Investigator’s OneNote NoteBook

Posted by Paul Bobby on November 4, 2008

I’ve blogged before on the benefits of Microsoft OneNote and its use when taking notes during an investigation. I’ve logged perhaps 40 investigations using the OneNote section in that article, and while it works okay, I had to of course tweak things to produce v2.0.

So here it is – I’d really like your feedback on this one. (a thread on the Guidance Software forum) (the attachment itself)

Posted in Incident Response | Leave a Comment »