±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 119

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

evidence collection methodolgy for forensic investigation

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

hogfly
Senior Member
 

Re: evidence collection methodolgy for forensic investigation

Post Posted: Nov 17, 05 22:26

harlan,
Oh I agree with you completely. Your script is great and works extremely well with FSP.  
 
  

ellac
Newbie
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 20, 05 05:33

Thank you everyone for your valuable input. I like the term forensic IR, but does this term includes forensic analysis as well? The reason I asked is that my paper is all about evidence collection. I don't want to get into analysis on my paper. So I want to make sure if it is suitable for me to use this term.

I agree with many of you saying that dd, nc are the primary tools that I need for collecting evidence. There are tons of paper about such kind of evidence collection but many of them require to take the system offline. I would like to perform such operations when the system is up and running (I need to bring some new ideas on this paper so that's why I want to emphasis the investigation is done on a live system). Any new ideas that can make my paper more interesting will be great.

On a side note, if a firm has a RAID 5 system with four 50GB HD, will you recommend to use dd to get an image? It is cheap to get a 200GB HD these days. However, it will take a long time to transfer data over.


As I have mentioned before, I am a newbie here... pardon me if I ask stupid questions here.


Thank you very much.

Ella  
 
  

arashiryu
Senior Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 21, 05 08:07

You can run WinHex Forensic edition from a CD ROM on a live system without taking it down. WinHex also has a built in feature called "Assemble Raid System".  
 
  

phius
Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 21, 05 14:58

Ella,

To come back to your original message, if you can come up with a methodology for conducting Forensic IR on a Linux machine then it would be well received. You can see from this forum that most automated tools are designed for Windows - a similar process for Linux (ie execute a server on the target system to open communication channels in the least intrusive way possible, and then execute commands to capture live data using a tool on the investigation machine). Once again at the risk of being flamed for needing automated tools, most investigators don't have the time or depth of knowledge to do otherwise.

Good luck

Paul  
 
  

keydet89
Senior Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 21, 05 16:16

I'd suggest taking a look at the Forensic Server Project (FSP):

www.windows-ir.com/fsp.html

While the project was written *on* Windows, it is not specific *to* Windows. The server portion can be run on Linux, and platform-specific clients (ie, First Responder Utility, or FRU) can be written for any platform, using any language.

Harlan  
 
  

phius
Member
 

Re: evidence collection methodolgy for forensic investigatio

Post Posted: Nov 23, 05 07:05

Harlan,

I don't mean to be negative about your work, as you are doing some great things & it has helped me learn alot about this subject. However, I think the use of perl was summed up quite accurately by one contributor in another thread - Click here to view

For real world investigations, what I am looking for is essentially ProDiscover - pop in the server CD & connect to it with the investigation box using a nice intuitive GUI - no complex pre-installations. This works beautifully for us in Windows, but still struggling in Linux. Right now we are up to our eyeballs in Windows cases so it is not on my urgent list, but I will no doubt be speaking to Technology Pathways soon to try & resolve it.

Please don't take this the wrong way - I am open to be convinced if you provide me with a simple and fast methodology on a par with ProDiscover?

Thanks

Paul  
 
  

keydet89
Senior Member
 

Re: evidence collection methodolgy for forensic investigation

Post Posted: Nov 23, 05 16:30

Paul,

At this point, I don't think I'll be able to convince you.

ProDiscover is a great tool, without question.

The FSP is simply another tool. The purpose of it is to allow for the rapid collection of volatile data from a system, minimizing the interaction required by the first responder. Drop the CD containing the FRU (compiled into a standalone EXE...which is provided in the download from my site) into the CD tray of the victim system, fire up the FRU, select the server IP and port, and the .ini file to parse, and that's it. Everything else is handled by the tools, to include detailed logging/timestamping of activity.

The FRU can run any third party CLI tool and send the output off to the server for timestamping and archiving. This includes dumping the contents of the clipboard and protected storage, etc., etc.

Based on your comments, and especially those regarding Perl, it's clear that the issue is more one of zero-knowledge response. My concern is that there are presentations going on a conferences such as Blackhat and DefCon that specify anti-forensics techniques to be used against the analyst, rather than the forensic analysis tools themselves.

Finally, you state that you're looking for something with "no complex pre-installations". The FSP and the FRU ship with their source (ie, Perl scripts) and compiled/tested standalone EXEs. The "installation" is no more complex than what is required with ProDiscover.

Harlan  
 

Page 4 of 5
Page Previous  1, 2, 3, 4, 5  Next