Re: forensics procedure for PC analysis

[Johnny Ramone <mosrite1234 () gmail com>]

I've studied CCE stds & practices, etc. - the suggested procedure at
that time was "in vivo", if at all possible. That way you get the full
machine state, memory contents, page file(s), and whatever peripheral
doodads (you'll probably want that encrypted usb startup key). And of
course the full drive contents bit level.
Man, I hate to do this since it seems every other post I throw in a
dismal/jaded comment, but.....
LE et. al. worship at the altar of EnCase (or if they're real rebels,
FTK). So it might be advisable to be a Patriot, and just hire someone
who has a license of EnCase/FTK (depending on the standards of your
local LE clan) as needed.

On 5/1/09, max <maximilianbianco () gmail com> wrote:
> On Mon, Apr 27, 2009 at 11:31:17AM +0100, John O Laoi wrote:
>  > Hello,
>  > Does anyone have pointers to a full recommended procedure on
>  > preserving PC data for forensic analysis?
>  > I'm thinking about things like getting a full backup (using dd),
>  > preserving the disks, graceful shutdown or not, etc.
>  >
>
> dd is a good choice but also see ddrescue. As for a graceful shutdown that depends on the circumstances and what your 
> referring to as illicit material. If you think someone is downloading porn then I think a graceful shutdown is fine, 
> if on the other hand you think you have an intruder or a trojaned host then I'd lean toward pulling the plug simply 
> because you don't know what an intruder or trojan is prepared to do if a shutdown is detected, at the least they will 
> try to erasse log data about their visit and activities or perhaps worse. How important the that particular host is 
> will also be something to consider.
>
>  There are more than a few live cd's available that help with things this, HELIX is one and DEFT is another, though 
> you may prefer to load your distro of choice and appropriate tools on a flash drive. Cert has a repo for Fedora:
>
>  http://www.cert.org/forensics/tools/
>
>
>
>  > My employer has asked me to look into drafting a policy to address
>  > this, in situations where say illicit material has been lodged to
>  > disk.
>  >
>
> Any such policy should only be used as a general guide in these situations, try not to get trapped in the proper 
> procedure box.After all it can be hard to tell when the intrusion first occurred, perhaps an intruder found your 
> proper procedure list and left you a few surprises. Just saying be flexible above all else.
>
>  Good Luck,
>
>  Max
>
>
>
>  --
>  "Any fool can know. The point is to understand" --Albert Einstein
>
>  Bored??
>  http://fiction.wikia.com/wiki/Fuqwit1.0
>
>
>  http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball
>
>
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: InfoSec Institute
>
>  Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
>  Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
> Penetration Tester exams, taught by an expert with years of real pen testing experience.
>
>  http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
>  ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------