Educause Security Discussion mailing list archives
Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services
From: "Hull, Dave" <dphull () KU EDU>
Date: Wed, 8 Mar 2006 09:17:55 -0600
Depends on how you handle the resource in question. If it's a workstation, you should 1. Fill out a chain of custody document any time the system or data changes hands. 2. Pull the power plug before you touch the file system. 3. Boot the workstation from a bootable CDROM like Helix. 4. Mount the suspect drives in read only mode. 5. Make an MD5 or SHA-1 hash of the disk. Record that hash value somewhere and double check your work. 6. Make a bit level copy of the disk using dd or equivalent tools. 7. Run the same checksum algorithm against your copy and make sure it matches the checksum from step 4. 8. Make a copy of this image on your forensic workstation and verify the checksum again. 9. Perform forensics on the copy of the image. If you've got the money, purchase a Logicube or equivalent device and pull the drives from the system to make your forensically sound copy. These steps are the same as those taken by professional computer forensic examiners and they go to court all the time. The critical elements for admissibility are that your hash values match and that you have good "chain of custody" documentation. Of course, if the target system is a high profile system like your main web server, taking it offline long enough to image its drives can be problematic. -- Dave "DP" Hull, Network Security Analyst IT Security Office, A Division of Information Services The University of Kansas Desk: 785-864-0429 -----Original Message----- From: John Nunnally [mailto:Nunnally () HARDING EDU] Sent: Tuesday, March 07, 2006 4:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Digital Forensics Professional Services Costs was [SECURITY] Use of Digital Forensics Professional Services The big question is how do you know in advance? Once you've messed with the resources involved, it is highly unlikely that they could be used as evidence in a court case. So if you guess wrong about whether the case will wind up in court, you're up a creek. John N.
Current thread:
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services Gary Dobbins (Mar 07)
- <Possible follow-ups>
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services Chris Green (Mar 07)
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services Waller, Michael A. (HSC) (Mar 07)
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services John Nunnally (Mar 07)
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services Hull, Dave (Mar 08)
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services Buz Dale (Mar 08)
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services Hull, Dave (Mar 08)
- Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services Gary Flynn (Mar 08)