RE: forensics procedure for PC analysis

["Dave Kleiman" <dave () davekleiman com>]

*NOT LEGAL ADVICE*

If you want to be able to do this live, even while users are working, F-Response is an excellent choice, because you 
can use it with any forensic tool. http://www.f-response.com/  They have an enterprise version and it works well, you 
can request an online web demo, plus there are plenty of how to videos on their website.

The forensic tool you use is really a matter of preference, I prefer to go with a tool that has flexibility and can 
make DD, E0, AD etc. files. X-Ways Forensics http://www.x-ways.net/, EnCase http://www.x-ways.net/, and Access Data 
http://www.accessdata.com, all make good products that are accepted industry wide.


I have a collection of tools and live preview lab that I teach at forensic conferences that can be downloaded for free 
on my site:
http://www.digitalforensicexpert.com/computer-forensics-expert-florida-miami-palm-beach-lauderdale-dave-kleiman-forensic-training-files/

or http://tinyurl.com/dzqfym

Actually there is one come up in Orlando in 2 weeks the CEIC conference, http://www.ceicconference.com/agenda.aspx 
(Scripting Network Forensics - Featuring: Powershell, Log Parser, Perl, Sysinternals) Hope to see you all there!!!



Respectfully,

Dave Kleiman - http://www.DigitalForensicExpert.com
http://www.ComputerForensicExaminer.com - http://DigitalForensicAnalyst.com

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801 

Digital Computer Forensics + Data Recovery + Electronic Discovery


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Johnny Ramone
Sent: Friday, May 01, 2009 21:03
To: max
Cc: security-basics () lists securityfocus com
Subject: Re: forensics procedure for PC analysis

I've studied CCE stds & practices, etc. - the suggested procedure at
that time was "in vivo", if at all possible. That way you get the full
machine state, memory contents, page file(s), and whatever peripheral
doodads (you'll probably want that encrypted usb startup key). And of
course the full drive contents bit level.
Man, I hate to do this since it seems every other post I throw in a
dismal/jaded comment, but.....
LE et. al. worship at the altar of EnCase (or if they're real rebels,
FTK). So it might be advisable to be a Patriot, and just hire someone
who has a license of EnCase/FTK (depending on the standards of your
local LE clan) as needed.

On 5/1/09, max <maximilianbianco () gmail com> wrote:
> On Mon, Apr 27, 2009 at 11:31:17AM +0100, John O Laoi wrote:
>  > Hello,
>  > Does anyone have pointers to a full recommended procedure on
>  > preserving PC data for forensic analysis?
>  > I'm thinking about things like getting a full backup (using dd),
>  > preserving the disks, graceful shutdown or not, etc.
>  >
>
> dd is a good choice but also see ddrescue. As for a graceful shutdown that depends on the circumstances and what your 
> referring to as illicit material. If you think someone is downloading porn then I think a graceful shutdown is fine, 
> if on the other hand you think you have an intruder or a trojaned host then I'd lean toward pulling the plug simply 
> because you don't know what an intruder or trojan is prepared to do if a shutdown is detected, at the least they will 
> try to erasse log data about their visit and activities or perhaps worse. How important the that particular host is 
> will also be something to consider.
>
>  There are more than a few live cd's available that help with things this, HELIX is one and DEFT is another, though 
> you may prefer to load your distro of choice and appropriate tools on a flash drive. Cert has a repo for Fedora:
>
>  http://www.cert.org/forensics/tools/
>
>
>
>  > My employer has asked me to look into drafting a policy to address
>  > this, in situations where say illicit material has been lodged to
>  > disk.
>  >
>
> Any such policy should only be used as a general guide in these situations, try not to get trapped in the proper 
> procedure box.After all it can be hard to tell when the intrusion first occurred, perhaps an intruder found your 
> proper procedure list and left you a few surprises. Just saying be flexible above all else.
>
>  Good Luck,
>
>  Max
>
>
>
>  --
>  "Any fool can know. The point is to understand" --Albert Einstein
>
>  Bored??
>  http://fiction.wikia.com/wiki/Fuqwit1.0
>
>
>  http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball
>
>
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: InfoSec Institute
>
>  Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
>  Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
> Penetration Tester exams, taught by an expert with years of real pen testing experience.
>
>  http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
>  ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------