Security Basics mailing list archives
RE: forensics procedure for PC analysis
From: "Dave Kleiman" <dave () davekleiman com>
Date: Wed, 6 May 2009 03:34:39 -0400
*NOT LEGAL ADVICE* If you want to be able to do this live, even while users are working, F-Response is an excellent choice, because you can use it with any forensic tool. http://www.f-response.com/ They have an enterprise version and it works well, you can request an online web demo, plus there are plenty of how to videos on their website. The forensic tool you use is really a matter of preference, I prefer to go with a tool that has flexibility and can make DD, E0, AD etc. files. X-Ways Forensics http://www.x-ways.net/, EnCase http://www.x-ways.net/, and Access Data http://www.accessdata.com, all make good products that are accepted industry wide. I have a collection of tools and live preview lab that I teach at forensic conferences that can be downloaded for free on my site: http://www.digitalforensicexpert.com/computer-forensics-expert-florida-miami-palm-beach-lauderdale-dave-kleiman-forensic-training-files/ or http://tinyurl.com/dzqfym Actually there is one come up in Orlando in 2 weeks the CEIC conference, http://www.ceicconference.com/agenda.aspx (Scripting Network Forensics - Featuring: Powershell, Log Parser, Perl, Sysinternals) Hope to see you all there!!! Respectfully, Dave Kleiman - http://www.DigitalForensicExpert.com http://www.ComputerForensicExaminer.com - http://DigitalForensicAnalyst.com 4371 Northlake Blvd #314 Palm Beach Gardens, FL 33410 561.310.8801 Digital Computer Forensics + Data Recovery + Electronic Discovery -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Johnny Ramone Sent: Friday, May 01, 2009 21:03 To: max Cc: security-basics () lists securityfocus com Subject: Re: forensics procedure for PC analysis I've studied CCE stds & practices, etc. - the suggested procedure at that time was "in vivo", if at all possible. That way you get the full machine state, memory contents, page file(s), and whatever peripheral doodads (you'll probably want that encrypted usb startup key). And of course the full drive contents bit level. Man, I hate to do this since it seems every other post I throw in a dismal/jaded comment, but..... LE et. al. worship at the altar of EnCase (or if they're real rebels, FTK). So it might be advisable to be a Patriot, and just hire someone who has a license of EnCase/FTK (depending on the standards of your local LE clan) as needed. On 5/1/09, max <maximilianbianco () gmail com> wrote:
On Mon, Apr 27, 2009 at 11:31:17AM +0100, John O Laoi wrote: > Hello, > Does anyone have pointers to a full recommended procedure on > preserving PC data for forensic analysis? > I'm thinking about things like getting a full backup (using dd), > preserving the disks, graceful shutdown or not, etc. > dd is a good choice but also see ddrescue. As for a graceful shutdown that depends on the circumstances and what your referring to as illicit material. If you think someone is downloading porn then I think a graceful shutdown is fine, if on the other hand you think you have an intruder or a trojaned host then I'd lean toward pulling the plug simply because you don't know what an intruder or trojan is prepared to do if a shutdown is detected, at the least they will try to erasse log data about their visit and activities or perhaps worse. How important the that particular host is will also be something to consider. There are more than a few live cd's available that help with things this, HELIX is one and DEFT is another, though you may prefer to load your distro of choice and appropriate tools on a flash drive. Cert has a repo for Fedora: http://www.cert.org/forensics/tools/ > My employer has asked me to look into drafting a policy to address > this, in situations where say illicit material has been lodged to > disk. > Any such policy should only be used as a general guide in these situations, try not to get trapped in the proper procedure box.After all it can be hard to tell when the intrusion first occurred, perhaps an intruder found your proper procedure list and left you a few surprises. Just saying be flexible above all else. Good Luck, Max -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- forensics procedure for PC analysis John O Laoi (May 01)
- Re: forensics procedure for PC analysis Richard Thomas (May 01)
- Re: forensics procedure for PC analysis max (May 01)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Dave Kleiman (May 06)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Simon Thornton (May 04)