Re: Best Forensic Tools?

[David Gillett <gillettdavid () FHDA EDU>]

Many IT folks use "forensic" to mean something like "figuring out what
happened and who did what", and it's true that these are often questions
we'd like to answer.  But to the rest of the world, and especially to law
enforcement, "forensic" means "collecting and preserving evidence so it can
be presented in court".  IT doesn't always need that -- although it may! --
and that introduces concerns which don't directly answer the questions of
interest.  So when someone asks for the "best" tools, we really need to ask
what criteria are important to them.
  The advantage of the tools that have been suggested is that when used
properly -- i.e., by someone trained to preserve evidence and its chain of
custody -- the results will generally be accepted by a court without
wasteful and confusing challenges and scrutiny ... and the case can move on
to arguments about what the collected evidence MEANS about who did what, etc
-- without it, your digital "evidence" may get thrown out without ever
getting that far.
  (Investigation and analysis should be performed on a COPY of the preserved
evidence, and require an entirely different set of skills....)

David Gillett

(One of our campuses runs an occasional "Digital Forensics" course which
addresses procedures as well as exposure to specific tools....)



-----Original Message-----
From: Guy Pace [mailto:gpace () SBCTC EDU]
Sent: Tuesday, March 30, 2010 09:56
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Best Forensic Tools?

Encase and Forensic Toolkit (FTK) are the more common around here. None of
the are simple to use, especially if you are using them for forensic
analysis.

It isn't the software that has the reputation with the courts, it is the
investigator/examiner that has earned the respect and reputation through
hard experience. It doesn't matter what software you use, you can still make
a hash of an investigation if you don't understand the procedures and
process and know what you are doing.

I recommend getting some training, first. Then looking at the tools that
seem to fit your needs best. A good, thoughtful investigator/examiner using
simple, well-understood tools and knowing how to present the evidence can
trump an Encase bootcamp grad police officer in court.

Harlan Carvey uses a lot of self-designed tools for forensics work. He is
well known to the court systems where he works, and can speak plainly and
authoritatively to the information he gathers in his investigations. He is
the exception and exceptional. Could an untrained person grab a bunch of his
tools and do the same?  Not likely.

Also, never underestimate where an incident will end up. Always approach an
incident as though it will end up in court, pay attention to process and
chain of evidence and act accordingly. If you are not trained to gather
forensic evidence with the tools you have and on the platform in question,
stop and bring in a certified digital forensic investigator. It is that
important.



Guy L. Pace, CISSP
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724
gpace () sbctc edu

"Great art is a practice. Turn it into a process and the result is a
paint-by-numbers system." Bob Lewis


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne Samardzich
Sent: Tuesday, March 30, 2010 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Best Forensic Tools?


What forensic tools do you use?  For copying HD's,  looking for data,
e-discovery?

I've been looking and Encase and Safeback: not sure of the pricing
structures.   We need some tools that will be relatively easy to use and
have the reputation in the legal world for effectiveness and
trustworthiness.


Best,

Wayne

Wayne Samardzich
Operations Supervisor
Information Services
Purdue Calumet
219 989  2307
P Think before you print