I called “Forensically Sound Environment” as an operating system is good at logging or tracing for analysis to a specific case in terms of forensic or incident response. Here are some configurations to make forensically sound environment.
Prerequisite
- Sync date and time to localtime or UTC
Windows
Most of configurations are Windows artifacts. Of course, it’s included that application such as IIS, Windows Advanced Firewall ans so on, however we can’t get any evidence from them unless you set those configurations properly like forensically sound environment.
- EnablePrefetcher
- NtfsDisableLastAccessUpdate
- $LogFile
- Windows Recovery
- Minidump
- Windows Event Log
- WinRM service
- Event Tracing for Windows
- C:\> openfiles /local on
- Windows Advanced Firewall
- Application Log
- IIS
- Anti-Virus
- Adobe Reader
Linux
- Auditd
- iptables logging
Post Task
- Build MD5 white-list
- Logging remotely
I will describe about each title as above in more detail. And I’ll put the link on the title on this page. I hope that I want to make the list in question with you.
Practical Security 