Social Space
Hubs | Hubbers | Topics | Request
#1 in Business Subscribe Email Print

You are here: Home > Computers and Technology > Data Recovery > Best Practices for Computer Forensics in the Field

Tags
  • become
  • market
  • while
  • developing combination
  • companies involved
  • companies involved
    		•

    Links
  • Linking Strategies That Bring Results
  • Only Pick A Fight You Can Win - The First Rule Of Successful Web Marketing
  • Grow Your Work At Home Business Not Your Hobbies
    		•

    Social Space - Best Practices for Computer Forensics in the Field

    Introduction

    Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeatable reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best e
    According to USFDA, a combination product is one composed of any combination of a drug and device; biological product and device; drug and biological product
    vidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are meant to be reviewed and applied based on the specific needs of the organization, the case and the case setting.

    Job Knowledge

    An examiner can only be so informed when they walk into a field setting.
    ; or drug, device, and biological product and fixed dose combination would include two or more combinations of drug.

    Examples of combination products may in
    In many cases, the client or the client’s representative will provide some information about how many systems are in question, their specifications, and their current state. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, cracking laptop computers, password hacking and device interfaces. A seizure that brings the equipment back to the lab should always be
    lude drug-coated devices, drugs packaged with delivery devices in medical kits, and drugs and devices packaged separately but intended to be used together.

    the first line of defense, providing maximum flexibility. If you must perform onsite, create a comprehensive working list of information to be collected before you hit the field. The list should be comprised of small steps with a checkbox for each step. The examiner should be completely informed of their next step and not have to “think on their feet.”

    Overestimate

    Overestimate effort by at least a fact
    here is enormous increase in the number of combination products entering the market in the recent years. Combination products have proven advantages but fixe
    r of two the amount of time you will require to complete the job. This includes accessing the device, initiating the forensic acquisition with the proper write-blocking strategy, filling out the appropriate paperwork and chain of custody documentation, copying the acquired files to another device and restoring the hardware to its initial state. Keep in mind that you may require shop manuals to direct you in taki
    d dose combinations are still in the process of convincing regulatory authority on their advantages over the single ingredient formulations.

    Combination pro
    ng apart small devices to access the drive, creating more difficulty in accomplishing the acquisition and hardware restoration. Live by Murphy’s Law. Something will always challenge you and take more time than anticipated -- even if you have done it many times.

    Inventory Equipment
    Most examiners have enough of a variety of equipment that they can perform forensically sound acquisitions in several ways.
    ucts have become life saving products for the pharmaceutical companies who doesn’t have many innovative molecules in their product pipeline and have been inc
    Decide ahead of time how you would like to ideally carry out your site acquisition. All of us will see equipment go bad or some other incompatibility become a show-stopper at the most critical time. Consider carrying two write blockers and an extra mass storage drive, wiped and ready. Between jobs, make sure to verify your equipment with a hashing exercise. Double-Check and inventory all of your kit using a c
    easingly used in the product life cycle management. Even the companies having product patents are trying to extend their product life cycle through the combi
    ecklist before taking off.

    Flexible Acquisition

    Instead of trying to make “best guesses” about the exact size of the client hard drive, use mass storage devices and if space is an issue, an acquisition format that will compress your data. After collecting the data, copy the data to another location. Many examiners limit themselves to traditional acquisitions where the machine is cracked, the drive removed,
    nation products and maximize the revenues. But the companies involved in this practice are overlooking that they are burdening the patients both economically
    placed behind a write-blocker and acquired. There are also other methods for acquisition made available by the Linux operating system. Linux, booted from a CD drive, allows the examiner to make a raw copy without compromising the hard drive. Be familiar enough with the process to understand how to collect hash values and other logs. Live Acquisition is also discussed in this document. Leave the imaged drive wi
    and physically. They need to rightly judge the benefits of the combination products and they have to even look at the risks involved when combining the produ
    th the attorney or the client and take the copy back to your lab for analysis.

    Pull the Plug

    Heated discussion occurs about what one should do when they encounter a running machine. Two clear choices exist; pulling the plug or performing a clean shutdown (assuming you can log in). Most examiners pull the plug, and this is the best way to avoid allowing any sort of malevolent process from running that may d
    ts. Some of the combination products were well accepted by physicians while others suffered. Companies involved in development of combination products are fi
    lete and wipe data or some other similar pitfall. It also allows the examiner access to create a snapshot of the swap files and other system information as it was last running. It should be noted that pulling the plug can also damage some of the files running on the system, making them unavailable to examination or user access. Businesses sometimes prefer a clean shutdown and should be given the choice after be
    ding difficulty in defining their combination products and facing various challenges from selecting a combination to marketing it.

    Following aspects would a
    ng explained the impact. It is critical to document how the machine was brought down because it will be absolutely essential knowledge for analysis.

    Live Acquisitions

    Another option is to perform a live acquisition. Some define “live” as a running machine as it is found, or for this purpose, the machine itself will be running during the acquisition through some means. One method is to boot into a customiz
    dd to the challenges in developing combination products:

    Which markets to tap where the combination products can do fairly well?
    Which combination prod
    d Linux environment that includes enough support to grab an image of the hard drive (often among other forensic capabilities), but the kernel is modified to never touch the host computer. Special versions also exist that allow the examiner to leverage the Window’s autorun feature to perform Incident Response. These require an advanced knowledge of both Linux and experience with computer forensics. This kind of
    cts are meaningful and rational?
    Which therapeutic categories to select?
    Which Combinations can address unmet needs of the patients?
    Do combin
    acquisition is ideal when for time or complexity reasons, disassembling the machine is not a reasonable option.

    The Fundamentals

    An amazingly brazen oversight that examiner’s often make is neglecting to boot the device once the hard disk is out of it. Checking the BIOS is absolutely critical to the ability to perform a fully-validated analysis. The time and date reported in the BIOS must be reported, espec
    tions increase the patient compliance?
    What would be the developing cost?
    How to tackle the risks encountered during combination product developmen
    ally when time zones are an issue. A rich variety of other information is available depending on what manufacturer wrote the BIOS software. Remember that drive manufacturers may also hide certain areas of the disk (Hardware Protected Areas) and your acquisition tool must be able to make a full bitstream copy that takes that into account. Another key for the examiner to understand is how the hashing mechanism wo
    t?

    As combination products don't fit into the traditional categories of drugs, medical devices, or biological products, the USFDA is in the process of devel
    ks: Some hash algorithms may be preferable to others not necessarily for their technological soundness, but for how they may be perceived in a courtroom situation.

    Store Securely

    Acquired images should be stored in a protected, non-static environment. Examiners should have access to a locked safe in a locked office. Drives should be stored in antistatic bags and protected by the use of non-static packing m
    ping new procedures for reviewing their safety, efficacy and quality.

    Professional from academic institutions, pharmaceutical industries, health care indust
    terials or the original shipping material. Each drive should be tagged with the client name, attorney’s office and evidence number. Some examiners copy drive labels on the copy machine, if they have access to one during the acquisition and this should be stored with the case paperwork. At the end of the day, each drive should link up with a chain of custody document, a job, and an evidence number.

    Establish
    y and representatives from various regulatory agencies are working out to design the regulatory requirements for manufacture and sale of combination products
    a Policy

    Many clients and attorneys will push for an immediate acquisition of the computer and then sit on the evidence for months. Make clear with the attorney how long you are willing to maintain the evidence at your lab and charge a storage fee for critical or largescale jobs. You may be storing critical evidence to a crime or civil action and while from a marketing perspective it may seem like a good idea
    .

    As there is an increasing trend of the combination products companies manufacturing such products should be able to tackle the problems involved in the de
    o keep a copy of the drive, it may be better from the perspective of the case to return all copies to the attorney or client with the appropriate chain of custody documentation.

    Conclusion

    Computer examiners have many choices about how they will carry out an onsite acquisition. At the same time, the onsite acquisition is the most volatile environment for the examiner. Tools may fail, time constraints can
    elopment. They need to be wiser in analyzing the market trends and the regulatory requirements.

    Companies that provide selfless information through particip
    be severe, observers may add pressure, and suspects may be present. Examiners need to take seriously the maintenance of their tools and development of ongoing knowledge to learn the best techniques for every situation. Utilizing the best practices herein, the examiner should be prepared for almost any situation they may face and have the ability to set reasonable goals and expectations for the effort in question


    tion in industry events and feedback to regulatory authorities would be able to face the challenges and will be successful in developing combination products

    HTTP = HTML link (for blogs, profiles,phorums):
    <a href="http://www.socialspace.org.ua/article/171763/socialspace-Best-Practices-for-Computer-Forensics-in-the-Field.html">Best Practices for Computer Forensics in the Field</a>

    BB link (for phorums):
    [url=http://www.socialspace.org.ua/article/171763/socialspace-Best-Practices-for-Computer-Forensics-in-the-Field.html]Best Practices for Computer Forensics in the Field[/url]

    Related Articles:

    Business Sellers - Avoid These Ten Mistakes

    Selling your business is the most important business transaction you will ever make. This article points out some common mistakes that business sellers make and how to avoid them.

    Want To Become A Super Affiliate?

    To become an affiliate and earn hundreds of dollars a month maybe even in a day is hard work. What about making thousands of dollars a day? That's exactly what a SUPER AFFILIATE does... they make a lot of cash. Rosalind Gardner is probably the best-known super affiliate on the internet, and with good reason...

    Credibility: 15 Facets to Speaking Professionalism: #5 - Notes

    Notes impact our credibility whether they are present or not. If you don’t use them, and then forget your presentation, you’re done for. If you do use them, you run the risk of using them incorrectly. Depending on the length or content of your talk, notes may simply be a necessary convention, unless you possess a photographic memory. If you are primarily telling stories and are not spitting out hard data, your lack of notes will work in your favor.

    Bookmark it: del.icio.us digg.com reddit.com netvouz.com google.com yahoo.com technorati.com furl.net bloglines.com socialdust.com ma.gnolia.com newsvine.com slashdot.org simpy.com shadows.com blinklist.com