Skip to content
No description, website, or topics provided.
HTML CSS JavaScript
Branch: master
Clone or download
Latest commit 26d1cb3 Nov 19, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
_book
android
img
ios Improve the iphone jailbreak test and extraction Nov 8, 2019
mac
windows Add network traffic analysis for MacOS Oct 14, 2019
README.md
SUMMARY.md Improve android part of the guide Oct 23, 2019
android.md
backup.md
general-approach.md
ios.md Fixed typo Aug 4, 2019
license-credits.md
mac.md
methodology.md
preparations.md Updating Jun 20, 2019
safety.md
trust.md
windows.md Updated Windows index Jul 25, 2019

README.md

Guide to Quick Forensics

Often times, members of civil society have the more or less justified suspicion of being surveilled. Perhaps they experienced anomalies with their computers or mobile devices, or they have reasons to believe that some of their communications have been intercepted.

Technologists and first responders working in civil society are often requested assistance with the inspection of human rights defenders' devices. The purpose of this guide is to provide an introduction to a methodology that could be useful for the quick assessment of potential infections.

While the methodology introduced here by no means is sufficient to provide a definitive and conclusive assessment over the cleanliness of a suspected device, it can help at least to identify the more obvious infections. Ultimately, it is up to your intuition and understanding of the context to determine what are the best recommendations to give. Hopefully this guide will help you getting started doing Quick Forensics, and will provide you the tools and techniques to start practicing and developing your skills.

Note: this guide is currently under development. You can contribute to this text here.

Why do Quick Forensics?

Learning to perform quick forensics helps determine whether additional resources might be required or not.

Learning to triage helps determine whether the case requires additional resources or not. Being able to extract relevant data means that in-depth investigators will not need access to the device (at least, not immediately). More people doing triaging, means better scalability of incident response in civil society. Researchers working on targeted threats against civil society are few, and mostly focused on publications.

The objectives

When performing quick forensics and responding to a potential compromise, we have the following broad objectives:

  1. Try to determine if the device is indeed potentially infected.
  2. Extract sufficient data for subsequent verification and that could be useful for further investigation (for example, to determine what type of malware infected the device).
  3. Determine what to do with the device and how to further assist its owner.
You can’t perform that action at this time.