During my current Digital Forensics study I recently stumbled across a guide from Microsoft entitled the “Fundamental Computer Investigation Guide for Windows" which is a download containing the basic Microsoft guide, a sample Internal Investigation Report, a sample Chain of Custody document and a sample Impact Analysis document.
Although at 55 pages the guide isn't going to make you a Forensics guru, as a free starters guide it hits all the main points we've learnt so far - initially assessing the situation, obtaining authorization, reviewing any policies or legal restrictions, bieng thourough and methodical in the assessment, acquisition of data, analysis of the data and reporting on the findings. It also contains an applied scenario to tie together all the points previously discussed (set at the Woodgrove Bank - an organization, along with Tailspin Toys and Contoso, that will be all too familar to those who've done a few Microsoft exams).
The tools referenced in the guide are generally all included in the OS or free sysinternals tools, such as filemon, portmon, process explorer, etc, although EnCase and FTK are mentioned for performing a bit-wise acquisition.
While Microsoft do get bashed about alot of things (and security in particular), I am always surprised about the sheer amount of material they generate and freely distribute. If you deal with Windows and aren't familiar with the sysinternals tools, I recommend checking them out.
0 comments:
Post a Comment