jtingkir wrote:
... could you guys be so kind and point out if my way of doing things is wrong and I should've follow the SOP.
The SOP, whatever it is (written or unwritten), is something your employer or department or whatever requires or expects you to follow, for reasons stated or unstated. Failure to follow it is also something that is handled by the same environment: it may be left unsaid, or it may, for example, be clearly stated that repeated infractions are grounds for dismissal. We don't know; you should.
Quote::
1. SOP: make image of evidence on different HDD (new evidence means new HDD).
There are several reasons for doing so, but which apply in your case is something you will have to ask yourself or your own organization about.
One reason is to avoid having to hand over unrelated evidence to a second investigating instance. If you have images from CASE1 and CASE2 on a HDD, add an image from CASE3, and later discover that CASE3 contains contraband, say, IIOC, what now? In the general case you obviously will have to hand over any HDD that contains that material to LE. How does that affect your ability to work on CASE1 and CASE2? Have you broken contract clauses related to CASE1 or CASE2, say, something about keeping the material secret? How will that damage your company directly (in damages to CASE1 and CASE2 principals), and in the future (tainted reputation for sloppy evidence handling), and possibly event regarding your own credibility in other ongoing legal cases where you are involved?
You may not be waist deep in dung at the moment, but you appear to have taken a few steps closer to the sewage pool that anyone reasonably can wish.
Quote::
2. SOP: put the evidence from point 1. on FRED, extract based on keyword or based on request of client (usually some other just request a full dump on allocated and carve the unallocated)
... I do it on my laptop, it took sometime in my laptop, but beats walking back and forth to the FRED, because it's in different building and not connected via LAN.
And now you may have that contraband on your laptop, and will have to hand that over to LE as well. Does that affect your ability to conduct business related to other investigations you do? Does it have any other unwanted effects?
Your company probably wants to keep business risks under control; your failure to follow your SOPs may have impaired that. This is almost certainly an incident in your company: that is, an unwanted event. Do you also do incident handling as part of your job? Risk identification, assessment, containment, mitigation, and everything else seems to be in order. How would you start that process?
Added: Yes, I've been in this neighbourhood myself.
However, you are on your way to becoming an expert in computer forensics. A wise man once defined an expert as someone who have made all the mistakes and errors possible within his particular area of expertise. Best of luck with the mistakes you have yet to make.
↧