Post Reply 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Forensic Environment Questions
07-23-2017, 06:54 PM
Post: #1
Forensic Environment Questions
Hello DFIR List,

My organization has recently agreed to stand up a forensics and incident response program, for which I'm leading due to my past experience and SANS training. Our forensic case work thus far has been standard corporate investigations with a little spice every here and there. Our incident response workload so far has been primarily ad-hoc response to events or incidents "of particular interest", such as malware beyond the standard commodity-ware. If there are any additional details I need to provide to better answer the rest of this email, feel free to ask.

I have some questions about how other organizations are managing their forensic investigation environments. While I'll also be doing incident response, my forensics work tends to be much more sensitive to environmental factors. If you have any experience or war stories that you would like to share, but not publicly, please feel free to respond privately off-list.


1. For static and mobile forensics work, do your staff run separate dedicated workstations, or do they run virtual machines within their primary workstations?

2. Are your forensics systems built from an enterprise image, or are they custom built by analysts from base installs?

3. How are standard enterprise functions implemented on forensics systems (e.g. automatic patching, group policy, inherited permissions/users/user groups)?

4. How do you protect your case data from unauthorized modification or disclosure in a corporate enterprise environment?
a. Do you have your forensics lab on a different network segment?
b. Do you have your case storage on a different network segment or NAS/SAN?
c. Do you encrypt your case data?

5. Is there any other tidbits of information, or perhaps any pitfalls, that you wish you knew about, in regards to the forensics work environment, when you started doing forensics?

Find all posts by this user
Quote this message in a reply
Post Reply 

Forum Jump:

User(s) browsing this thread: 1 Guest(s)