Forensic analysis standard Operating procedures???

Source: Internet
Author: User

Someone asked me recently what is ISO 27037? In fact, it is the standard for the processing of electronic evidence, but it is not frightened by its long-winded speech. If you look closely, it only mentions "previous" assignments. In other words, it mentions the collection of electronic evidence, preservation, retrieval, delivery, But the next really critical analysis program, it does not mention. Why, because it is too complicated.

Many units like to hang on the mouth is "follow standard operating procedure SOP", listen to how professional AH ~ Yes, at first blush there is such a thing. But insiders know that the main spirit and purpose of SOP is "anti-stay" and "prevention of hand-mutilation", equal to those who do so even if it is not so clear. You can also take a class. But there is something that is not easily replaced by SOP, which is "experience".

If you ask me about the significance and feasibility of standardizing on digital forensics, I think the "forensics process" can be, because the work is consistent, as long as the highest principle-"to ensure that the evidence is not contaminated." But what about "analytical procedures"? Sorry, there is no standardization possible and necessity.

What's the reason? because "experience" and "judgment" are the key factors in deciding whether or not to do a good job of analysis. This is not done according to the Watch class. Computer hardware and software, network, virtual environment, database and so on exacerbate, rich experience will help to make better judgments, conversely, it is easy to misjudge or ignore important clues.

To give you a simple example of the difference in experience, if you understand the MBR, only in the use of forensic tools learned can try to decode get partition entry, and then one of them will have bootable flag–80 ... this is just the information you get from the forensics tool, But in fact is smattering, memorize just. If there are changes, such as MBR with multiple boot systems, you will not understand.

In other words, if you are already a player, you have used third-party software to handle multiple boot systems, such as Windows, Linux, and so on. You'll know the MBR format of the hard disk, up to four main partitions or three main partitions plus an extended partition, And the extended partition can be divided into several logical partitions. There is a unique identifier behind each file system, such as the Linux native 83.

In general, in the computer field has been rolling over a few years, and then to explore the evidence, is a better learning curve. Conversely, if directly from forensics, it is often easy because only know the tool, but not enough to understand the characteristics of the analysis objects (whether software or hardware) itself, and more prone to miscarriage, or even ignore important clues to the occurrence, Do not be careless. And understand the characteristics, but also understand the use of tools, and the ability to determine whether the tool analysis results are abnormal, the experience has reached a certain degree of accumulation.

This is the evidence of interesting places, often some forensic personnel to find clues faster, some are slow many, and the same is to find clues, but ingenious each have different, some is very precise in place, according to the context of evidence, quickly found the answer. Some are just lucky, after looking at the search hits for 10 days and half a month, Finally he/she saw it. From behind these phenomena, we can see how the difference is??? "Experience" still accounts for half of the factors.

Forensic analysis standard Operating procedures???

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.