Reconstructing Past Digital Events
Project Name: Reconstruction of Past Digital Events
Description: This blog will help all forensics investigator to Reconstruct of Past Digital Events.
Author: Rohit D Sadgune
Frequently Asked Question on Computer Forensics Investigation
- How to Reconstructing Past Digital Event
- Backup of Digital Events
- Importanance of Reconstructing Past Digital Event
- Review of Past Digital Events
- Create a timeline to reconstruct the events that led to your system being corrupted. This can be particularly difficult when it comes to computers—clock drift, delayed reporting, and differing time zones can create confusion in abundance.
- Do not change the clock on an affected system.
- Record any clock drift and the time zone in use, as you will need this later, but changing the clock just adds in an extra level of complexity that is best avoided.
- Synchronize the log files. Log files usually use timestamps to indicate when an entry was added, and these must be synchronized to make sense.
- Use timestamps. You’re not just reconstructing events; you are making a chain of events that must be accounted for as well.
- Use the GMT time zone when creating your timestamps, because the incident may involve other time zones than your own. Using a common reference point can make things much easier.
- Make sure you have a dedicated host for the job when analyzing backups. This examination host should be secure, clean (a fresh, hardened install of the operating system is a good idea), and isolated from any network—you don’t want it tampered with while you work, and you don’t want to accidentally send something nasty down the line.
- Commence analysis of the backups once the system is available. Making mistakes at this point shouldn’t be a problem—you can simply restore the backups again if required.
- Document everything you do. Remember the mantra.
- Ensure that what you do is not only repeatable, but that you always get the same results.
- Reconstruct the chain of events leading to and following the attacker’s break-in now that you have collected the data.
- Make sure you correlate all the evidence you have gathered (which is why accurate timestamps are critical). It’s probably best to use graphical tools, diagrams, and spreadsheets.
- Include all of the evidence you’ve found when reconstructing the attack—no matter how small it is, you may miss something if you leave a piece of evidence out.
- Review audit trails of system activity to pinpoint how, when, and why the incident occurred, since the amount of damage that occurred with an incident can be assessed.