DOTE

Chain And Rate

Friday, February 14, 2014

Network Forensics Investigative Methodology (OSCAR) : Part 1

Like any other forensic task, recovering and analyzing digital evidence from network sources must be done in such a way that the results are both reproducible and accurate. In order to ensure a useful outcome, forensic investigators should perform our activities within a methodological framework. The overall step-by-step process recommended  as follows:

Obtain information
Strategize
Collect evidence
Analyze
Report
use_of_traffic_analysis
Use of OSCAR
Obtain Information
Whether you’re law enforcement, internal security staff, or a forensic consultant, you will always need to do two things at the beginning of an investigation: obtain information about the incident itself, and obtain information about the environment.

Strategize
It is crucial that early on you take the time to accurately assess your resources and plan your investigation. While this is important for any investigation, it is especially important for network forensics because there are many potential sources of evidence, some of which are also very volatile. Investigators must work efficiently. You will want to regularly confer with others on the investigative/incident response team while planning and conducting the investigation to ensure that everyone is working in concordance and that important developments are communicated.
example_of_evidence_prioritization
An example of evidence prioritization.These values will be different for every investigation.

Here are some tips for developing an investigative strategy:
• Understand the goals and time frame of the investigation.
• List your resources, including personnel, time, and equipment.
• Identify likely sources of evidence.
• For each source of evidence, estimate the value and cost of obtaining it.
• Prioritize your evidence acquisition.
• Plan the initial acquisition/analysis.
• Decide upon method and times of regular communication/updates.
• Keep in mind that after conducting your initial analysis, you may decide to go back and acquire more evidence. Forensics is an iterative process.

::to be continue... ^_^