Quick Win Data Forensics prioritizes locating, extracting, and processing the 1 percent of digital evidence you need to move a case forward.
Given that 99 percent of the necessary evidence typically will exist in 1-2 percent of the data acquired, it is easy to see how a great deal of time can be wasted following the normal procedures in today's digital forensics world. Instead, let us focus on this 1-2 percent and perform a very rapid triage collection that can be used to start our investigation sooner!
Far too often, computers are seized in an "on" state, and immediately powered down because, "that is how we've always done it." With today's computers, this means you are throwing away (essentially destroying) many gigabytes of data. The RAM in a computer holds a treasure trove of data, from keystrokes to network connections, running services, and, quite importantly, passwords and decryption keys. With the vastly increasing spread of file-less malware, in many cases the only place that evidence will exist is in memory. Another often-overlooked factor is full disk encryption. In cases like this, "live" acquisition will be your only hope.
In these episodes you will learn:
Top 5 “Quick Win” files in Battlefield Forensics
"Quick Win” files #1 - The Registry
“Quick Win” files #2 - Jumplists
Setting CLI tools to run from any path in Windows 10
“Quick Win” files #3 - .LNK file
“Quick Win” files #4 - Shellbags
“Quick Win” files #5 - Prefetch
The topics covered in the videos below are just excerpts of what the FOR498: Battlefield Forensics & Data Acquisition course teaches. For more information or to register for the course visit here
The SANS 3MinMax series with Kevin Ripa is designed around short, three-minute presentations on a variety of topics from within Digital Forensics, Incident Response, and to a lesser degree, Information Security.
About the author: An investigator at heart, Kevin Ripa bought his first computer as a tool for writing reports for his private investigation agency. As he worked through typical user issues, the "why" of what was going wrong in his machine kept him up at night. So Kevin turned his investigative skills toward his computer and quickly became fascinated by the world inside of it. Now a 25-year veteran of the digital investigations field, Kevin's enthusiasm has not waned: "IT security and digital forensics still inspire me every day, and I can't wait to wake up in the morning and get to work!
"Kevin is a SANS Certified instructor and the co-author of the SANS course FOR498: Battlefield Forensics and Data Acquisition. For more information about the course, visit:http://www.sans.org/FOR498If you would like to suggest a topic for the next 3MinMax episodes, please email 3minmax@sans.org or reach out to Kevin via twitter at @kevinripa (https://twitter.com/kevinripa)
FOR498: Battlefield Forensics & Data Acquisition course
FOR498, a digital forensic acquisition training course, provides the necessary skills to identify the many and varied data storage mediums in use today, and how to collect and preserve this data in a forensically sound manner despite how and where it may be stored. It covers digital acquisition from computers, portable devices, networks, and the cloud. It then teaches the student Battlefield Forensics, or the art and science of identifying and starting to extract actionable intelligence from a hard drive in 90 minutes or less.
Demo the course here
Learn abut the course Certification (GBFA) here
