Cyber Threat Analytics
Digital Forensics

Reconstructing Past Digital Events

Project Name: Reconstruction of Past Digital Events

Description: This blog will help all forensics investigator to Reconstruct of Past Digital Events.

Author: Rohit D Sadgune

Frequently Asked Question on Computer Forensics Investigation

  • How to Reconstructing Past Digital Event
  • Backup of Digital Events
  • Importanance of Reconstructing Past Digital Event
  • Review of Past Digital Events

Forensics Checklist

  1. Create a timeline to reconstruct the events that led to your system being corrupted. This can be particularly difficult when it comes to computers—clock drift, delayed reporting, and differing time zones can create confusion in abundance.
  2. Do not change the clock on an affected system.
  3. Record any clock drift and the time zone in use, as you will need this later, but changing the clock just adds in an extra level of complexity that is best avoided.
  4. Synchronize the log files. Log files usually use timestamps to indicate when an entry was added, and these must be synchronized to make sense.
  5. Use timestamps. You’re not just reconstructing events; you are making a chain of events that must be accounted for as well.
  6. Use the GMT time zone when creating your timestamps, because the incident may involve other time zones than your own. Using a common reference point can make things much easier.
  7. Make sure you have a dedicated host for the job when analyzing backups. This examination host should be secure, clean (a fresh, hardened install of the operating system is a good idea), and isolated from any network—you don’t want it tampered with while you work, and you don’t want to accidentally send something nasty down the line.
  8. Commence analysis of the backups once the system is available. Making mistakes at this point shouldn’t be a problem—you can simply restore the backups again if required.
  9. Document everything you do. Remember the mantra.
  10. Ensure that what you do is not only repeatable, but that you always get the same results.
  11. Reconstruct the chain of events leading to and following the attacker’s break-in now that you have collected the data.
  12. Make sure you correlate all the evidence you have gathered (which is why accurate timestamps are critical). It’s probably best to use graphical tools, diagrams, and spreadsheets.
  13. Include all of the evidence you’ve found when reconstructing the attack—no matter how small it is, you may miss something if you leave a piece of evidence out.
  14. Review audit trails of system activity to pinpoint how, when, and why the incident occurred, since the amount of damage that occurred with an incident can be assessed.

GO BACK TO COMPUTER FORENSICS CHECKLIST

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Computer Forensics Fundamentals
Digital Forensics
Computer Forensics Fundamentals

Computer Forensics Fundamentals Project Name: Computer Forensics Fundamentals Description: This blog will help all forensics investigator for Computer Forensics Fundamentals Author: Rohit D Sadgune Frequently Asked Question on Computer Forensics Investigation Checklist of Computer Forensics Fundamentals   Protect the suspected digital media during the forensic examination from any possible alteration, …

Principal Computer Forensic Activities Checklist Form
Digital Forensics
Digital Forensic Checklist

Digital Forensic Checklist Project Name: Digital Forensic Checklist Description: This blog will help all forensics investigator for Digital Forensic Checklist Author: Rohit D Sadgune Frequently Asked Question on Computer Forensics Investigation Checklist of Principal Digital Forensic Activities Checklist Form   Safely seize computer systems and files to avoid contamination and/or interference. …

Types of Computer Forensics Technology
Digital Forensics
Types of Computer Forensics Technology

Types of Computer Forensics Technology Project Name: Types of Computer Forensics Technology Description: This blog will help all forensics investigator for Types of Computer Forensics Technology Author: Rohit D Sadgune Frequently Asked Question on Computer Forensics Investigation Checklist of Types of Computer Forensics Technology   Move documentary evidence quickly from …

%d bloggers like this: