±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35755
New Yesterday: 1 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Assistance on Software purchase

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

keith.bucknall
Member
 

Assistance on Software purchase

Post Posted: Nov 08, 07 22:55

Dear All,

We have just had an issue which we need to seize some pc's and check for a number of media files, look into the index.dat, check the items that have been deleted over the past X months.

As you can image I am still a newbie to this and would like some guidance on what software to purchase and methodology to approach.

I would prefer to outsource this but have been advised to look at a software solution first...

can you please give some points and feedback on enCase, FTK or other tools out there.

thanks
_________________
Kind Regards
Keith Bucknall
MCSE:Security 2003, MCSA 2003, MCP, A+, N+, Sec+ 
 
  

BitHead
Senior Member
 

Re: Assistance on Software purchase

Post Posted: Nov 08, 07 23:58

Buying the software is just the beginning. While FTK tends to be more "intuitive" out of the box then EnCase, none of the software really becomes useful without training. Additionally you will need hardware, including but not limited to a dedicated examination machine, multiple drives, & write blockers.

Of course without some experience, in the likely case that solicitors/lawyers/the courts become involved, you will have to establish your experience. Woe be the newbie examiner that was not shadowed/supervised by an experienced examiner on their first case.

As far as just reviewing the tools, there is good and bad to each which is why you will find most examiners use multiple tools if only to verify their results.  
 
  

senordiablo
Member
 

Re: Assistance on Software purchase

Post Posted: Nov 09, 07 01:42

As a student in a computer forensics class, my school purchased FTK for us to conduct a mock investigation as our final project. So far, everyone is happy with FTK. It comes with an instruction guide that is easy to read and well detailed. You can download a demo version off their website. I think they may also be the least expensive if you buy the training version (student license).

Another free tool you can use is Helix, which is open source. This CD has many different applications you can use to conduct an investigation. Read their pdf files to learn more about specific apps and how they are used. You can boot this from a live CD and use "retriever" to search for pics, movies, and docs.

Remember to keep a chain of custody form in case you decide to outsource this investigation.  
 
  

Hdollar
Member
 

Re: Assistance on Software purchase

Post Posted: Nov 09, 07 03:06

BitHead again is right on the money. I would add the following.
You need to ask
1.) What are you going to do if I find something?
2.) Can this possibly go to court
a. If so what makes me an expert witness
3.) Is the company willing to forgo legal action if I make
The wrong conclusion.
Without answers to at least these questions you could have legal
Action taken against the company and yourself.  
 
  

keith.bucknall
Member
 

Re: Assistance on Software purchase

Post Posted: Nov 09, 07 14:15

Guys,

Thanks for the information on this I really appreciate this.


Regards

Keith
_________________
Kind Regards
Keith Bucknall
MCSE:Security 2003, MCSA 2003, MCP, A+, N+, Sec+ 
 

Page 1 of 1