Educause Security Discussion mailing list archives

Re: Best Forensic Tools?

From: Wayne Samardzich <Samardzi () CALUMET PURDUE EDU>
Date: Tue, 30 Mar 2010 14:05:49 -0500

David,

I agree. As you and others know, we in IT get thrown into things at a
moment's notice.  I do need a tool that will make a drive copy so that
we may preserve the original and document the chain of custody in case
we do end up in court.  I'm not interested in bit dissection to see if
the data had been changed on a quantum level.  

It would be good to have a tool box of good tools to do at least the
first phases of evidence gathering and preservation for the experts. 


Training and experience are without a doubt important, if you can get
them!

Wayne  

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Gillett
Sent: Tuesday, March 30, 2010 1:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Best Forensic Tools?

Many IT folks use "forensic" to mean something like "figuring out what
happened and who did what", and it's true that these are often questions
we'd like to answer.  But to the rest of the world, and especially to
law
enforcement, "forensic" means "collecting and preserving evidence so it
can
be presented in court".  IT doesn't always need that -- although it may!
--
and that introduces concerns which don't directly answer the questions
of
interest.  So when someone asks for the "best" tools, we really need to
ask
what criteria are important to them.
  The advantage of the tools that have been suggested is that when used
properly -- i.e., by someone trained to preserve evidence and its chain
of
custody -- the results will generally be accepted by a court without
wasteful and confusing challenges and scrutiny ... and the case can move
on
to arguments about what the collected evidence MEANS about who did what,
etc
-- without it, your digital "evidence" may get thrown out without ever
getting that far.
  (Investigation and analysis should be performed on a COPY of the
preserved
evidence, and require an entirely different set of skills....)

David Gillett

(One of our campuses runs an occasional "Digital Forensics" course which
addresses procedures as well as exposure to specific tools....)



-----Original Message-----
From: Guy Pace [mailto:gpace () SBCTC EDU]
Sent: Tuesday, March 30, 2010 09:56
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Best Forensic Tools?

Encase and Forensic Toolkit (FTK) are the more common around here. None
of
the are simple to use, especially if you are using them for forensic
analysis.

It isn't the software that has the reputation with the courts, it is the
investigator/examiner that has earned the respect and reputation through
hard experience. It doesn't matter what software you use, you can still
make
a hash of an investigation if you don't understand the procedures and
process and know what you are doing.

I recommend getting some training, first. Then looking at the tools that
seem to fit your needs best. A good, thoughtful investigator/examiner
using
simple, well-understood tools and knowing how to present the evidence
can
trump an Encase bootcamp grad police officer in court.

Harlan Carvey uses a lot of self-designed tools for forensics work. He
is
well known to the court systems where he works, and can speak plainly
and
authoritatively to the information he gathers in his investigations. He
is
the exception and exceptional. Could an untrained person grab a bunch of
his
tools and do the same?  Not likely.

Also, never underestimate where an incident will end up. Always approach
an
incident as though it will end up in court, pay attention to process and
chain of evidence and act accordingly. If you are not trained to gather
forensic evidence with the tools you have and on the platform in
question,
stop and bring in a certified digital forensic investigator. It is that
important.



Guy L. Pace, CISSP
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724
gpace () sbctc edu

"Great art is a practice. Turn it into a process and the result is a
paint-by-numbers system." Bob Lewis


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne Samardzich
Sent: Tuesday, March 30, 2010 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Best Forensic Tools?


What forensic tools do you use?  For copying HD's,  looking for data,
e-discovery?

I've been looking and Encase and Safeback: not sure of the pricing
structures.   We need some tools that will be relatively easy to use and
have the reputation in the legal world for effectiveness and
trustworthiness.


Best,

Wayne

Wayne Samardzich
Operations Supervisor
Information Services
Purdue Calumet
219 989  2307
P Think before you print

Current thread:

Best Forensic Tools? Wayne Samardzich (Mar 30)
- <Possible follow-ups>
- Re: Best Forensic Tools? Guy Pace (Mar 30)
- Re: Best Forensic Tools? Zach Jansen (Mar 30)
- Re: Best Forensic Tools? David Gillett (Mar 30)
- Re: Best Forensic Tools? Wayne Samardzich (Mar 30)
- Re: Best Forensic Tools? Bradley, Stephen W. Mr. (Mar 30)
- Re: Best Forensic Tools? O'Callaghan, Daniel (Mar 30)
- Re: Best Forensic Tools? Patrick Goggins (Mar 30)
- Re: Best Forensic Tools? Eric Case (Mar 30)