Educause Security Discussion mailing list archives
Re: Best Forensic Tools - the ones that law enforcement use....
From: "SCHALIP, MICHAEL" <mschalip () CNM EDU>
Date: Tue, 30 Mar 2010 11:47:04 -0600
I understand the perceived value (and "challenge") of being able to apply "scalpel and probe" to a hard drive and find some sort of "evidence of wrong-doing" - but - every law enforcement or legal entity that I've ever talked to has told me, "If you think that there's something illegal on a computer - don't touch it - unplug it (if it doesn't have DeepFreeze on it - otherwise, just unplug the network cable) - post a security person near it - call the local police - and let them deal with." If one wants to gather "evidence" for internal use - you can do that for a lot less than an industry standard toolset like Encase - and if you *do* invest in the software, and the training, and the certification, etc. - you're still better off just handing the entire computer over to local law enforcement and letting them pull off of the system what they need. The rules of evidence aren't trivial. Typically, if you've got a local FBI office - they actually have/had? a presentation that they would come in and give to tell IT folks what you should/shouldn't do when dealing with a suspected problem.... Just my $.02.... M -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Guy Pace Sent: Tuesday, March 30, 2010 10:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Best Forensic Tools? Encase and Forensic Toolkit (FTK) are the more common around here. None of the are simple to use, especially if you are using them for forensic analysis. It isn't the software that has the reputation with the courts, it is the investigator/examiner that has earned the respect and reputation through hard experience. It doesn't matter what software you use, you can still make a hash of an investigation if you don't understand the procedures and process and know what you are doing. I recommend getting some training, first. Then looking at the tools that seem to fit your needs best. A good, thoughtful investigator/examiner using simple, well-understood tools and knowing how to present the evidence can trump an Encase bootcamp grad police officer in court. Harlan Carvey uses a lot of self-designed tools for forensics work. He is well known to the court systems where he works, and can speak plainly and authoritatively to the information he gathers in his investigations. He is the exception and exceptional. Could an untrained person grab a bunch of his tools and do the same? Not likely. Also, never underestimate where an incident will end up. Always approach an incident as though it will end up in court, pay attention to process and chain of evidence and act accordingly. If you are not trained to gather forensic evidence with the tools you have and on the platform in question, stop and bring in a certified digital forensic investigator. It is that important. Guy L. Pace, CISSP Security Administrator Information Technology Division WA State Board for Community and Technical Colleges (SBCTC) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () sbctc edu "Great art is a practice. Turn it into a process and the result is a paint-by-numbers system." Bob Lewis -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne Samardzich Sent: Tuesday, March 30, 2010 9:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Best Forensic Tools? What forensic tools do you use? For copying HD's, looking for data, e-discovery? I've been looking and Encase and Safeback: not sure of the pricing structures. We need some tools that will be relatively easy to use and have the reputation in the legal world for effectiveness and trustworthiness. Best, Wayne Wayne Samardzich Operations Supervisor Information Services Purdue Calumet 219 989 2307 Think before you print -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- Re: Best Forensic Tools - the ones that law enforcement use.... SCHALIP, MICHAEL (Mar 30)