Jump to content
Sign in to follow this  
schuydorsey

Forensics

Recommended Posts

schuydorsey

Is anyone here especially skilled in forensics? I am looking to learn (quickly and effectively). I have already purchased the Syngress book.

I actually have two clients needing forensics work already so I am going to try to brush up on it tools to find what I need as quick as possible. Ah.. the life of being an I.T. slave. :)

Share this post


Link to post
matugm

I just know the basics but I'm going to try to give you some tips to get you started.

If you are going to do this more than a few times you may want to ask your company for a hardware write blocker (tableau seems to be a popular brand) for reliable disk imaging, you will also need plenty of storage because you should take 2 copys of the original drive one as a backup that you will not touch unless something goes bad and the other to work on and do you forensics work.

As for a software imaging solution (again, hardware one is recommended) you may want to check out dd or the forensic specialized version dcfldd also you may want to have a look at specialized forensics Linux distros like deft or caine, if you have plenty of money to drop you may want to check out the famous EnCase

If your main target system is Windows you may want to pay attention to Registry forensic tools like RegRipper.

If you target are live systems (haven't been shutdown since the incident) you may want to look into memory forensics, popular tools for this are volatily for analysis and Moonsols DumpIt for dumping memory.

For recovering deleted partitions and files you may want to look into TestDisk.

For analyzing browser data, cache history etc. There is plenty of tools, you may want to try nirsoft tools

If you need to bring this evidence to court you will also need to have everything timestamped and hashed (SHA-1 or better), and keep a record of all the tools used, also if multiple ppl are going to handle the evidence you may also want to have a chain of custody document.

Let me know if that helps.

Share this post


Link to post
schuydorsey

Thanks for the point in the right direction! A lot of information to take in.

I am familiar with the chain of custody but the rest of the tools I will have to familiarize myself with. You always seem to know the answers and it astounds me!

Share this post


Link to post
Iain

Firstly Jesus you are a legend as always :)

I have done some criminal forensic work here in the UK and Jesus is not far wrong with what he is suggesting the only thing i would add is:

In the UK we will only work from one image of the original exhibit. So for example if i was to have a laptop in my possession i would take a complete image (sector by sector) of that and retain the original machine securely. So Jesus is right again storage is so so important (and reliable storage at that)

The tool i use for imaging is FTK - FTK Website

Jesus also mentioned using a harware write blocker such as tableau. This is an absolute must because you need to keep the integrity of the data and if your computer access the drive then it can be argued that you have changed the data or altered the state of the image in some way.

An alternative to a hardware blocker is a software one such as Dsi USB Writeblocker.

After this i am afraid it has to be EnCase all the way, it is the only software that is truly recognised within the UK law system.

I second what Jesus also says about knowing your software...as a forensic examiner you will need to know the software inside and out because you will be questioned on it.

Here are some free resources for you including the two i listed above : Forensic Tools

If you want to get into the whole world of mobile phone forensic....well that is a whole world of pain :)

Enjoy

Iain

Share this post


Link to post
robertray

Great post. Cheers for sharing.

Iain what suggestions would you make in a first responder situation?

I.e something has been suspected as going on ... The machine is still running ... What data should be collected ?

Seen this batch file which collects a few things http://quality-training.co.uk/blog/?p=1181

The other thing i would imagine is to have a witness at all times so someone can confirm, everything done.

My understanding from talking to some peeps is often mistakes are made by loosing useful info switching of the box too soon.

Share this post


Link to post
schuydorsey

Rob, great add and questions! I would love to know the answers.

Also, great batch file!

Share this post


Link to post
matugm

For incident handling I suggest that you guys check out the NIST Incident Handling guide, didn't read it myself but I found it recommended by some SANS instructor -> http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

Personally I would collect a physical memory dump using the tool I referenced above (for linux check this : http://superuser.com/questions/164960/how-do-i-dump-physical-memory-in-linux), with that you can analyze it and get data like running process, network connections etc.

Also you want to grab logs, like apache and login logs but you should do offline that from a forensics copy so you don't alter the timestamps.

Share this post


Link to post
ten35group

One thing that I would add for the forensics on a computer running is you may want to, in addition of taking an image of the memory, think about imaging the system live AND also an image when it has been shut down. So you would in essence have three (3) forensic images. You can gain a whole lot of info from a live system.

An as was pointed out FTK imager is a very good (and free) tool to use for all of the above! For those needing a hardware write blocker WeibeTech has come out with a new v5 of their product so I am seeing drastic price drops in v4. So for those of you that don't need to do this daily, then v4 will work perfectly fine (read - take a bit more time). Google WeibeTech Forensic UltraDock v4 and you should be able to find some good pricing!

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×