Digital Forensic Checklist

Project Name: Digital Forensic Checklist

Description: This blog will help all forensics investigator for Digital Forensic Checklist

Author: Rohit D Sadgune

Frequently Asked Question on Computer Forensics Investigation

• Checklist of Principal Digital Forensic Activities Checklist Form

1. Safely seize computer systems and files to avoid contamination and/or interference.
2. Safely collect data and software.
3. Safe and non contaminating copying of disks and other data media.
4. Review and report on data media.
5. Source and review backup and archived files.
6. Recover/reconstruct deleted files—logical methods.
7. Recover material from swap and cache files.
8. Recover deleted/damaged files—physical methods.
9. Core-dump: Collect an image of the contents of the active memory of a computer at a particular time.
10. Estimate if files have been used to generate forged output.
11. Review single computers for proper working during relevant period, including service logs, fault records, and the like.
12. Prove/test reports produced by complex client/server applications.
13. Review complex computer systems and networks for proper working during relevant period, including service logs, fault records, and the like.
14. Review system/program documentation for design methods, testing, audit, revisions, and operations management.
15. Review applications programs for proper working during relevant period, including service logs, fault records, and the like.
16. Identify and examine audit trails.
17. Identify and review monitoring logs.
18. Conduct telecoms call path tracing (PTTs or path-tracing telecoms and telecoms utilities companies only).
19. Review access control services—quality and resilience of facilities (hardware and software, identification/authentication services).
20. Review and assess access control services—quality of security management.
21. Review and assess encryption methods—resilience and implementation.
22. Set up proactive monitoring to detect unauthorized or suspect activity within application programs and operating systems and across local area and wide area networks.
23. Monitor email.
24. Use special alarm or trace programs.
25. Use honeypots.
26. Interact with third parties (suppliers, emergency response teams, and law enforcement agencies).
27. Review and assess measuring devices and other sources of real evidence, including service logs, fault records, and the like.
28. Use routine search programs to examine the contents of a file.
29. Use purpose-written search programs to examine the contents of a file.
30. Reconcile multi source files.
31. Examine telecoms devices and location of associated activity logs and other records perhaps held by third parties.
32. Reconstruct events.
33. Reconstruct complex computer intrusion.
34. Reconstruct complex fraud.
35. Reconstruct system failure.
36. Reconstruct disaster affecting computer-driven machinery or process.
37. Review expert- or rule-based systems.
38. Reverse compilation of suspect code.
39. Use computer programs that purport to provide simulations or animations of events: review of accuracy, reliability, and quality.

GO BACK TO COMPUTER FORENSICS CHECKLIST