Table of Contents
Overview
This was a talk presented by Eric B. at our 1/8/2017 meeting. The topic was Conducting Defensible Investigations.
Slide Deck
The slide deck is available here: Conducting Defensible Investigations
Attendee Notes
Key terms:
Defensible in this context is something that can withstand being challenged in court
Forensics of or having to do with the court system
Incident Response operationalization of a risk management process to address known or unknown hazards
Investigations & Inquiries – investigation is an act taken by an investigative authority (legal term) while an inquiry is an investigation undertaken without investigative authorities (no subpoena powers, no search & seizure or arrest powers)
There is a big difference between proper “Incident Response compared to an IT ticket. One of them requires documentation, retention of data & mitigation, whereas the other, only cares about the solution to the problem & resolving it. This difference can be further widened by standard incident response & defensible incident response which includes *high levels of documentation*.
A big portion of this is Incident Response Planning (need some good links here)
There are some vendor specific certifications: EnCase, FTK, Autopsy, Cellbrite, Tableau
Additional Resources
Although the topic of this talk was more about investigation as a process, DFIR places a huge role in that. The links below are heavily based in the DFIR camp, as we would like to get the information out there & see talks potentially building on this topic to include DFIR.
| Link | Description |
|---|---|
| Title 18, Chapter 47 § 1030 | Mentioned during the talk, in reference to legalese of capturing your own traffic & technology crime. |
| AccessData FTK | One of the products mentioned |
| EnCase forensic | One of the products mentioned |
| CellDEK TEK | One of the products mentioned |
| Champlain.edu Forensics Degree | A well accredited degree in this field on forensics |
| SANS GIAC Forensic Examiner Cert Page | Well respected certification on being a forensic investigator |
| tisiphone.net | hacks4pancakes blog :) |
| ForensicsWiki | An amazing resource for this type of information |
| DFIR.training | A wonderful website that compliments the forensics wiki really well |
| About DFIR | Awesome website, combined with the above links, you'll be comfortable with DFIR in short order :) |
| Forensic Lunch Videos | Looks to be a YouTube directory of previous hangouts of very passionate DFIR folks | |
| Computer Forensics Wiki | An Amazing Resource for All! |
