±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

evidence collection methodolgy for forensic investigation

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5  Next 
  

ellac
Newbie
 

evidence collection methodolgy for forensic investigation

Post Posted: Nov 15, 05 01:25

Hi all,

I am a student and am new to this community. Currently I am working on a paper which I would like to develop an evidence collection procedure for live forensic investigation. My target audience is small/medium-sized firms where taking the compromised system offline is not possible. This means that evidence collection has to be done while the system is running.

Since small or medium sized firms usually have a very limited IT budgets, I would like to propose a low cost but efficient way to gather evidence.

For this paper, I am only concentrated on UNIX operating system. Any help/suggestion would be greatly appreciated.

Thanks,

Ella  
 
  

arashiryu
Senior Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 15, 05 02:07

Best comercial product for live system imaging is Prodiscover Investigator. It is around $6000.
www.techpathways.com/P...overIR.htm

Check out the article below for examining 'live' systems.
www.informit.com/artic...17509&rl=1

Also download and try HELIX, F I R E bootable linux distros that have utils to acquire live systems via TCPIP. Grab on the HELIX cd rom works great to acquire a live system.  

Last edited by arashiryu on Nov 15, 05 02:43; edited 1 time in total
 
  

ellac
Newbie
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 15, 05 02:22

Thanks arashiryu!
The two links are very useful.

For the first one, I am not sure how many small companies are willing to spend 6000 dollars on this kinda of software. However, it allows me to find out what components i need to include on my paper.


I am trying to come up with a how-to guide so that people will know how to respond when they need to collect digital evidence that can be presented to the court if needed.

Thanks again.

Ella  
 
  

arashiryu
Senior Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 15, 05 02:48

Here is another one.

www.shebeen.com/win32-forensics/  
 
  

andy1500mac
Senior Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 15, 05 03:08

Hi ellac,

Good article describing incident response as well as some info on the authors batch file ...which is simple and handy.

www.e-fense.com/helix/...rnblum.pdf

Andrew-  
 
  

fatrabbit
Senior Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 15, 05 03:20

I've just found this article which contains a wealth of information including some first responder guides under the guidelines and standards section.

staff.washington.edu/d...nsics.html
_________________
fatrabbit 
 
  

keydet89
Senior Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 15, 05 19:26

While some good info has been posted, I do think that it's important to point out that the original poster (ella) specified Unix as the operating system to be dealt with. This is important, as there are some major differences in how one would conduct live response (either volatile data acquisition or image acquisition) over Windows.

Some important process-oriented concepts to keep in mind include:

Locard's Exchange Principle
www.profiling.org/jour...0_1-1.html

RFC 3227 - Guidelines for Evidence Collection and Archiving
www.faqs.org/rfcs/rfc3227.html

For the most part, similar principles apply regardless of platform...however, the tools you use to employ your methodology will differ. For example, it is possible to create statically-compiled tools for Unix systems, so that the investigator does not have to rely on possibly subverted libraries on the system.

Interestingly enough, the Forensic Server Project[1], while written on Windows, is in essence platform independent. The server component can be run on any system that supports Perl, and as long as the protocol is followed, platform-specific versions of the First Responder Utility (FRU) can be written in just about any language.

I hope that helps a bit,

Harlan

[1] www.windows-ir.com/fsp.html  
 

Page 1 of 5
Page 1, 2, 3, 4, 5  Next