Digital Forensic Checklist
Project Name: Digital Forensic Checklist
Description: This blog will help all forensics investigator for Digital Forensic Checklist
Author: Rohit D Sadgune
Frequently Asked Question on Computer Forensics Investigation
- Checklist of Principal Digital Forensic Activities Checklist Form
- Safely seize computer systems and files to avoid contamination and/or interference.
- Safely collect data and software.
- Safe and non contaminating copying of disks and other data media.
- Review and report on data media.
- Source and review backup and archived files.
- Recover/reconstruct deleted files—logical methods.
- Recover material from swap and cache files.
- Recover deleted/damaged files—physical methods.
- Core-dump: Collect an image of the contents of the active memory of a computer at a particular time.
- Estimate if files have been used to generate forged output.
- Review single computers for proper working during relevant period, including service logs, fault records, and the like.
- Prove/test reports produced by complex client/server applications.
- Review complex computer systems and networks for proper working during relevant period, including service logs, fault records, and the like.
- Review system/program documentation for design methods, testing, audit, revisions, and operations management.
- Review applications programs for proper working during relevant period, including service logs, fault records, and the like.
- Identify and examine audit trails.
- Identify and review monitoring logs.
- Conduct telecoms call path tracing (PTTs or path-tracing telecoms and telecoms utilities companies only).
- Review access control services—quality and resilience of facilities (hardware and software, identification/authentication services).
- Review and assess access control services—quality of security management.
- Review and assess encryption methods—resilience and implementation.
- Set up proactive monitoring to detect unauthorized or suspect activity within application programs and operating systems and across local area and wide area networks.
- Monitor email.
- Use special alarm or trace programs.
- Use honeypots.
- Interact with third parties (suppliers, emergency response teams, and law enforcement agencies).
- Review and assess measuring devices and other sources of real evidence, including service logs, fault records, and the like.
- Use routine search programs to examine the contents of a file.
- Use purpose-written search programs to examine the contents of a file.
- Reconcile multi source files.
- Examine telecoms devices and location of associated activity logs and other records perhaps held by third parties.
- Reconstruct events.
- Reconstruct complex computer intrusion.
- Reconstruct complex fraud.
- Reconstruct system failure.
- Reconstruct disaster affecting computer-driven machinery or process.
- Review expert- or rule-based systems.
- Reverse compilation of suspect code.
- Use computer programs that purport to provide simulations or animations of events: review of accuracy, reliability, and quality.