±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36768
New Yesterday: 0 Visitors: 71

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

evidence collection methodolgy for forensic investigation

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5 
  

phius
Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 24, 05 08:57

Harlan,

Based on your comments, and especially those regarding Perl, it's clear that the issue is more one of zero-knowledge response. My concern is that there are presentations going on a conferences such as Blackhat and DefCon that specify anti-forensics techniques to be used against the analyst, rather than the forensic analysis tools themselves


Yeah... I know what you are saying and it goes against my own personal opinions to have to defend the need for simplicity. But...we have a large caseload and I'm afraid that levels of knowledge vary widely among the investigators. The Live IR (see... not using the word *forensics* now:D) that we are doing at the moment is primarily aimed at analysing malware. essentially the investigators are simply collecting the information for later analysis back in the office by specialists. By and large, all we need is a netstat, fport, brief traffic capture (ethereal) and a copy of the system drive. Mostly we are using Helix (as it is free) & we will use ProDiscoverIR for the cases that are more important.

Anyway, please don't get the idea that I am set in my ways against using FSP. I can tell you that we won't be using it on Windows systems as we have established procedures using Helix & ProDiscover. However, I will be testing it's functionality when examining Linux systems as soon as I have some time...

Cheers

Paul  
 
  

keydet89
Senior Member
 

Re: evidence collection methodolgy for forensic investigation

Post Posted: Nov 28, 05 19:02

> essentially the investigators are simply collecting the information for
> later analysis back in the office by specialists.

This is rather easy to do with the FSP, and is also highly customizable. Create your own .ini file for use with the FRU, and you've got an easy to use tool. You do updates when you need to, not when some commercial developer feels that it's necessary.

> By and large, all we need is a netstat, fport...

This is what the FRU/FSP framework was designed for.

It's easy...put the fruc.exe file and associated DLL on a CD, along with tools (ie, fport.exe, openports.exe, netstat.exe, tlist.exe, etc.) and an .ini file that contains the necessary commands to run the tools. To make things even easier, include a batch file that launches the fruc.exe file...the only interaction required by the first responder is to type in the name of the batch file, followed by the IP address of the server (and the port, if you're not using a standardized one that can be added to a batch file).

The FRU/FSP automates all of this and minimizes interaction required by the user.

Harlan  
 
  

hogfly
Senior Member
 

Re: evidence collection methodolgy for forensic investigation

Post Posted: Nov 28, 05 20:34

Harlan,

This isn't something I've tested yet, but do you have a list of the .dll's used by the executables you recommend using with FSP? i.e, pstools, autoruns etc?

I can figure it out well enough on my own but wondered if you have done it already.
Thanks.  
 
  

keydet89
Senior Member
 

Re: evidence collection methodolgy for forensic investigation

Post Posted: Nov 28, 05 21:47

> do you have a list of the .dll's used by the executables you recommend using with FSP

Not yet. This sort of thing is something I've been working on with another project that I was given at work...well, the reality is that I started down the road w/ the FSP project, and the one I got from work is a more tightly focused version of the same thing.

Part of the issue with something like that is that the FSP was designed to be an open framework, so that any tools can be used. Using a Perl script to dump the import table of an executable is trivial...I've done it a couple of different ways now...but I can't possibly know every tool that people will use. I can only provide a subset of the tools, and the process, and from there let others do their own thing.

Harlan  
 

Page 5 of 5
Page Previous  1, 2, 3, 4, 5