evidence collection...
 
Notifications
Clear all

evidence collection methodolgy for forensic investigation

32 Posts
8 Users
0 Likes
2,471 Views
ellac
(@ellac)
Posts: 5
Active Member
Topic starter
 

Hi all,

I am a student and am new to this community. Currently I am working on a paper which I would like to develop an evidence collection procedure for live forensic investigation. My target audience is small/medium-sized firms where taking the compromised system offline is not possible. This means that evidence collection has to be done while the system is running.

Since small or medium sized firms usually have a very limited IT budgets, I would like to propose a low cost but efficient way to gather evidence.

For this paper, I am only concentrated on UNIX operating system. Any help/suggestion would be greatly appreciated.

Thanks,

Ella

 
Posted : 15/11/2005 12:25 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Best comercial product for live system imaging is Prodiscover Investigator. It is around $6000.
http//www.techpathways.com/ProDiscoverIR.htm

Check out the article below for examining 'live' systems.
http//www.informit.com/articles/article.asp?p=417509&rl=1

Also download and try HELIX, F I R E bootable linux distros that have utils to acquire live systems via TCPIP. Grab on the HELIX cd rom works great to acquire a live system.

 
Posted : 15/11/2005 1:07 am
ellac
(@ellac)
Posts: 5
Active Member
Topic starter
 

Thanks arashiryu!
The two links are very useful.

For the first one, I am not sure how many small companies are willing to spend 6000 dollars on this kinda of software. However, it allows me to find out what components i need to include on my paper.

I am trying to come up with a how-to guide so that people will know how to respond when they need to collect digital evidence that can be presented to the court if needed.

Thanks again.

Ella

 
Posted : 15/11/2005 1:22 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Here is another one.

http//www.shebeen.com/win32-forensics/

 
Posted : 15/11/2005 1:48 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Hi ellac,

Good article describing incident response as well as some info on the authors batch file …which is simple and handy.

http//www.e-fense.com/helix/Docs/Jesse_Kornblum.pdf

Andrew-

 
Posted : 15/11/2005 2:08 am
(@fatrabbit)
Posts: 132
Estimable Member
 

I've just found this article which contains a wealth of information including some first responder guides under the guidelines and standards section.

http//staff.washington.edu/dittrich/forensics.html

 
Posted : 15/11/2005 2:20 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

While some good info has been posted, I do think that it's important to point out that the original poster (ella) specified Unix as the operating system to be dealt with. This is important, as there are some major differences in how one would conduct live response (either volatile data acquisition or image acquisition) over Windows.

Some important process-oriented concepts to keep in mind include

Locard's Exchange Principle
http//www.profiling.org/journal/vol1_no1/jbp_ed_january2000_1-1.html

RFC 3227 - Guidelines for Evidence Collection and Archiving
http//www.faqs.org/rfcs/rfc3227.html

For the most part, similar principles apply regardless of platform…however, the tools you use to employ your methodology will differ. For example, it is possible to create statically-compiled tools for Unix systems, so that the investigator does not have to rely on possibly subverted libraries on the system.

Interestingly enough, the Forensic Server Project[1], while written on Windows, is in essence platform independent. The server component can be run on any system that supports Perl, and as long as the protocol is followed, platform-specific versions of the First Responder Utility (FRU) can be written in just about any language.

I hope that helps a bit,

Harlan

[1] http//www.windows-ir.com/fsp.html

 
Posted : 15/11/2005 6:26 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Ella needs to clarify.

Is the machine to be examined a Unix box?

OR

The tools used for the examination are Unix based regardless of what platform the box to be examined is on?

 
Posted : 15/11/2005 7:05 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

arashiryu,

Ella needs to clarify.

Is the machine to be examined a Unix box?

OR

The tools used for the examination are Unix based regardless of what platform the box to be examined is on?

Ella's query seemed pretty clear to me…

"My target audience is small/medium-sized firms where taking the compromised system offline is not possible. This means that evidence collection has to be done while the system is running."

As the system needs to be live and running, the use of Unix tools would clearly obviate Windows systems. Even a bootable Linux CD is out of consideration, as for the CD to be used, the system will no longer be live. Also, using Unix tools to examine a Windows image is obviated, for the same reason.

IMHO, the question was pretty clear. After all, ella went on to say, "For this paper, I am only concentrated on UNIX operating system."

Also, ella further stated
"Since small or medium sized firms usually have a very limited IT budgets, I would like to propose a low cost but efficient way to gather evidence. "

Data gathering is easy…even trivial. Should the data need to meet a standard of "evidence", the by it's very nature, the local IT shop shouldn't be collecting it at all.

Either way, collection is the easy part…its always been analysis that's the hardest, and the most often prone to error.

Harlan

 
Posted : 15/11/2005 8:14 pm
ellac
(@ellac)
Posts: 5
Active Member
Topic starter
 

I agree that evidence collection is the easiest part in the forensic investigation. That's why i picked that part.

However, I have to make sure whatever procedures i am going to use will gather evidence that can be presented in court.

Thank you everyone. I have got many useful links from you guys. I am sure I will post some questions later. )

 
Posted : 15/11/2005 10:48 pm
Page 1 / 4
Share: