Use your computer fearlessly.




[ Security | Consulting | Research ]





Evidence Gathering

by Brent Kirkpatrick

(Date Published: .)



Evidence gathering involves capturing exploits, isolating their machine code, and analyzing them.



Evidence gathering involves statistical measures of confidence. "Forensics" is a misnomer when it does not involve statistics. Evidence gathering is a process and the result of the process is only as good as the steps used to obtain the result. Any evidence should be accompanied by a description of the scientific process by which it was obtained.

The goal of doing "forensics" is to take a hacked computer, examine all the exploits on it, and discuss with statistical confidence, the mechanisms of the responsible exploit(s). Attribution, or who-done-it, is the responsibility of investigators and detectives, not computer experts.

In essence, computer security people doing forensics are running a crime lab and should properly document chain of custody and analysis method(s). The documentation should be sufficient for a court-of-law.

Doing computer forensics is an art, similar to doing statistical consulting. In both cases, one is looking for a needle-in-a-haystack. Both require a magic touch or talent. Hackers try to hide their exploits, and sometimes they even clean up after themselves. So, capturing and analyzing an exploit is different every time.




Intrepid Net Computing provides custom evidence gathering work.







bbkirk@intrepidnetcomputing.com




© 2015, 2016, 2017, 2018 Intrepid Net Computing. All rights reserved.