Notifications
Clear all

Forensic Tools

3 Posts
3 Users
0 Likes
648 Views
(@ia_virus)
Posts: 1
New Member
Topic starter
 

What tools or applications are considered the best and are easy to utilize? When collecting evidence, what method is preferred? Do you place the evidence onto a CD or other media? Thanks
Jeff

 
Posted : 18/04/2005 8:10 pm
(@andyfox)
Posts: 43
Eminent Member
 

Hi Jeff

good question. We find that giving the client a choice is a pretty good way of doing things. There is no way we are going to print of 1000 images for a report for a client unless they ask - and pay! but we do offer to provide sdamples on CD and with a couple fo our clients we provide them with a free imaged hard drive so they can see all the evidence as view only. This also means for us that if they want reports on different images for example they can refer to them and locate them easily. So no stndard method but entirly the clienst chice, whatever suits their own investigation needs. Hope that helps.

 
Posted : 19/04/2005 9:57 am
(@gmarshall139)
Posts: 378
Reputable Member
 

As far as evidence, it is generally always copied to hard drives as part of the imaging process. I archive all evidence files to DVD's as the next step. At the conclusion of an analysis these preserved as evidence for any future needs. The hard drive is then wiped and re-used. I backup the evidence files immediately after acquisition because you really never know when a hard drive will fail. Some will last years and some days, you just can't be sure.

As for which tool is best that's really a matter of preference. I would caution a new examiner to stay away from the hacker type tools. You don't want to have to explain in court that your application was written by someone named "demonhacker". It's just not going to sound very professional. Encase and Forensic Toolkit (FTK) are very popular window's based applications. Winhex is another very good product. If you're in law enforcement you can get I-look free of charge as well as the training through NWC3. If you prefer Linux there are several products available like Penguin Sleuth ( http://www.linux-forensics.com/ ). There's a lot out there. I'm not sure any are easy to use, or master, but if you are more familiar with Windows for instance I would lean towards a Windows application.

When you say collecting evidence I am thinking acquisition. Whatever method you use the primary concern is that you don't alter the original in any way. Attaching it to a computer and booting it will alter it. Write blocking devices are very popular now. They prevent any writes to the drives attached and offer very fast acquisition speeds (around 1 gig per minute). There are dos and linux applications for acquisitions as well. Most of the popular applications have acquisition capabilities.

 
Posted : 19/04/2005 1:58 pm
Share: