Computer Forensic Hard Drive Imaging Process Tree for Basic Training
I recently had a need for a simple decision tree for students to grasp and understand some of the options available to them when imaging a hard drive. I put together a simple decision tree and figured others may find it useful. Feel free to make additions or suggestions in the comments.
ShareThis
Posts
10 comments:
You may wish to add Chain of Custody steps if the decision tree is intended to be a learning tool for people that are new to forensics.
@Anon-
Excellent observation. For my purpose, I am covering that exact topic in a separate detailed module. This was meant to be a decision tree to explain what imaging options are available. You are correct, but for my intended use, I was not trying to cover all aspects of what a student needs to cover or think about when imaging, but more about imaging options.
Thanks for the observation and comment.
I'm a little concerned that you're suggesting people turn off the system simply because they can. What of the volatile data stored in memory and active running processes on the system?
Sure, shutting the system down is 'an option' but not necessarily the best option in all cases.
Perhaps you could adjust the tree to account for live data acquisition prior to taking the system offline for offline drive acquisition?
Why the power off? Seems like the tree leads you to shutting it down no matter what.
Lance,
Like the post and understand that this is about hard drive imaging. But Id include exactly where in the steps you would include volatile data and memory acquisition collection.
Also, in many cases removing a hard drive means you have to have an adapter. Id first check to see if you have the right adapter prior to removing the hard drive from the PC. If no adapter, Id imagine using a LiveCD.
Best,
Rob
@Andrew - No need to be concerned. This chart was meant to show options just for imaging. I cover volatile data collection in a separate module.
@Anon - there are times when power will remain on, but generally my students are law enforcement and seizure is part of the equation.
@Rob -
Great points. I was mulling over the previous comments and the idea of expanding it to include collection of volatile data to make it clear, but love your point about adapters! Thanks
Hello Lance,
First of all, great post as always, kudos to you!
I cited your process tree, linking to your blog and added a process tree for remote acquisition considering volatile evidence in my blog:
original (in portuguese):
http://sseguranca.blogspot.com/2010/12/flowcharts-para-processos-de-forense.html
translated to english: http://is.gd/itoKd
Best,
Sandro Süffert
Lance,
Great post. The only thing I would add is a quick look at processes running to see if encryption is part of the equation before shutting down.
I prefer to image machines that are turned off but have run into encryption before.
I'll be using this in class next week.
Thanks again.
Matt Anderson
I'd also have a shot at adding a branch for the LiveCD imaging. Because of MBR encryptions, connectors (as mentioned above) or just because it's faster on many occasions.
What about imaging of Safeboot, Safeguard or Pointsec? A different tree? But would be definitely useful.
Post a Comment