±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 0 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Exam Drive & Wiping Question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

Andy
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 05, 05 23:15

Yeah, you are correct - I'm sorry I misread the post. For what its worth I still do not see any point in wiping the drive that contains your OS and tools. Often during an exam I download tools and viewers, and create test areas, files and folders, but mainly do experiments in a VMWare box. It would be more of a pain to relay a clone on each occasion for my particular machine, as its a dynamic ever changing computer. I can see the argument for it, but how you would contaminate an 'examination' perhaps needs some explanation!

I use EnCase so its evidence files are in a safe contained environment. It only becomes a security issue if I extract a file and execute it on my forensic workstation. My thoughts are its overly paranoid.

Andy  
 
  

brett_shavers
Newbie
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 07, 05 04:17

Another option is to conduct the entire exam in VMWare (given you have enough RAM in your host machine). Then, with everything in contained in the VMWare file folder, nothing creeps onto your host machine, and it is easier to start over again with a backup of that virtual machine.

In theory, you could even store the virtual machine onto DVD's or a small hard drive for posterity (court..), and the entire operation system, patches, software, and updates would remain as it was when you conducted the exam.

Personally, I have a backup of my forensic machine, and restore it after some time to get rid of cluttered data on my machine (that always seems to happen and it is easier to restore a clean drive than clean up my cluttered drive).  
 
  

m7esec
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 23, 05 03:59

Brett-
Good example using VMWare. I do not know much about VMWare yet, just started playing with it, and I have a few questions.

1. How do you connect a USB or Firewire device to a computer running on VMWare without it also connecting to the host machine?

2. Can malicious code also infect a VMWare session from the host machine connected to the network?

3. Can you run a beefy Host machine on a network with Internet Access, and run a VMWare session and be sure that outside influence not affect a VMWare session like it wasn't connected to the network?

The reason I am saying this, is your option is very intriguing. I am looking to build a new forensics system, and using my old system for Personal use. However, if I can beef up my current system and use VMWare as the option as stated above, it would save me some money, needed space, as well as build a better, more powerful system. I just want to verify that using VMWare doesn't change the integrity of the OS, Tools, and evidence.
_________________
GSEC, GCFA, GCIH, EnCE
Certified Forensic Examiner
St. Louis, MO 
 

Page 3 of 3
Page Previous  1, 2, 3