Re: Digital Forensics Professional Services Costs was Use of Digital Forensics Professional Services

[Buz Dale <buz.dale () USG EDU>]

It is also possible to image the RAM and harddrive of a running system.
This can be useful if the system needs to stay up or you think the RAM
information is important.
Buz

Hull, Dave wrote:
> Depends on how you handle the resource in question.
>
> If it's a workstation, you should
> 1. Fill out a chain of custody document any time the system or data
> changes hands.
> 2. Pull the power plug before you touch the file system.
> 3. Boot the workstation from a bootable CDROM like Helix.
> 4. Mount the suspect drives in read only mode.
> 5. Make an MD5 or SHA-1 hash of the disk. Record that hash value
> somewhere and double check your work.
> 6. Make a bit level copy of the disk using dd or equivalent tools.
> 7. Run the same checksum algorithm against your copy and make sure it
> matches the checksum from step 4.
> 8. Make a copy of this image on your forensic workstation and verify the
> checksum again.
> 9. Perform forensics on the copy of the image.
>
> If you've got the money, purchase a Logicube or equivalent device and
> pull the drives from the system to make your forensically sound copy.
>
> These steps are the same as those taken by professional computer
> forensic examiners and they go to court all the time. The critical
> elements for admissibility are that your hash values match and that you
> have good "chain of custody" documentation.
>
> Of course, if the target system is a high profile system like your main
> web server, taking it offline long enough to image its drives can be
> problematic.


--
----
Buz Dale                                buz.dale () usg edu
IT Security Specialist              1-888-875-3697
Office of Information and Instructional Technology
University System of Georgia