AT1: A Postmortem

After submitting the investigation journals for AT1, I have been reflecting a lot about the content of the images, and the way in which I approached the investigation. One of the things that was difficult was working out where to start and how to progress through the image, especially the larger Windows image. It’s difficult to know where to start lookinn. I had a preconceived idea of what may lie on the disk, a notion of the general Windows directory structure and some ideas of where to look based on the content in lectures, however that still didn’t give me a starting point. When I started working on the disk, I began by running the Autopsy ingest modules, which seemed like a logical progression, and revealed some interesting and noteworthy files. I then proceeded to try and build up a picture of the computer details (OS version, number of users, company ownership etc.). This eventually lead me down other paths, and as I investigated various aspects, I was faced with dilemmas of which path to take to explore things further. This meant that I had to keep trying to come back and look at other aspects around a particular issue, switch back to the other image to check something, and so on. In the end, it just became a little messy and confused.

As a result of this slightly haphazard approach to investigation, I realised that I should probably work out a better forensic methodology to follow, and have some better way of taking notes as I go. Whilst the journal shows clearly the steps I took, it’s heavy chronological component doesn’t allow for the lateral expansion of the investigation, thus making me think I need to show a progression rather than jumping between things. I think that next time I do an investigation, I need to better understand what my aim is, where I intend to go, and build a checklist of things to look into when investigating certain aspects of an image.

I also potentially missed out on some key aspects and sections of the image as a result of being pushed for time, and trying to cover all basis, whilst not exploring every detail as I would have liked. For example, Tim mentioned a variety of ways in which we can piece together USB device information from various Windows registry keys and other system information, but I didn’t lift up all the stones, and thus got a bit confused over 2 USB devices that I discovered, and how they interplayed with the other image and the sysmem in general.

Another aspect of my investigation technique that failed me was the lack of tooling environment. I have a Windows 10 machine set up with Autopsy/FTK Imager etc. installed, however I found myself having to explore and install new tools mentioned in lectures, and then having to learn them on the spot, which not only made my tangengial investigations take longer, but it also meant that I lost my train of thought because I had to stop to setup and install software. Additionally, one thing I noticed myself needing to do was actually test out various software on a matching OS version to see how they behaved. Whether it be to see what files are written when certain steps are taken, or merely just getting to know a new piece of software that I found was used on the Windows image I was investigating (e.g. GnuPG or VeraCrypt). Next time I do an investigation, I would like to first set up a vanilla install of the OS I’m investigating so that I can replicate and test tools in a clean environment to see how they behave.