Educause Security Discussion mailing list archives
Re: Best Forensic Tools?
From: Wayne Samardzich <Samardzi () CALUMET PURDUE EDU>
Date: Tue, 30 Mar 2010 14:05:49 -0500
David, I agree. As you and others know, we in IT get thrown into things at a moment's notice. I do need a tool that will make a drive copy so that we may preserve the original and document the chain of custody in case we do end up in court. I'm not interested in bit dissection to see if the data had been changed on a quantum level. It would be good to have a tool box of good tools to do at least the first phases of evidence gathering and preservation for the experts. Training and experience are without a doubt important, if you can get them! Wayne -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Gillett Sent: Tuesday, March 30, 2010 1:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Best Forensic Tools? Many IT folks use "forensic" to mean something like "figuring out what happened and who did what", and it's true that these are often questions we'd like to answer. But to the rest of the world, and especially to law enforcement, "forensic" means "collecting and preserving evidence so it can be presented in court". IT doesn't always need that -- although it may! -- and that introduces concerns which don't directly answer the questions of interest. So when someone asks for the "best" tools, we really need to ask what criteria are important to them. The advantage of the tools that have been suggested is that when used properly -- i.e., by someone trained to preserve evidence and its chain of custody -- the results will generally be accepted by a court without wasteful and confusing challenges and scrutiny ... and the case can move on to arguments about what the collected evidence MEANS about who did what, etc -- without it, your digital "evidence" may get thrown out without ever getting that far. (Investigation and analysis should be performed on a COPY of the preserved evidence, and require an entirely different set of skills....) David Gillett (One of our campuses runs an occasional "Digital Forensics" course which addresses procedures as well as exposure to specific tools....) -----Original Message----- From: Guy Pace [mailto:gpace () SBCTC EDU] Sent: Tuesday, March 30, 2010 09:56 To: SECURITY () listserv educause edu Subject: Re: [SECURITY] Best Forensic Tools? Encase and Forensic Toolkit (FTK) are the more common around here. None of the are simple to use, especially if you are using them for forensic analysis. It isn't the software that has the reputation with the courts, it is the investigator/examiner that has earned the respect and reputation through hard experience. It doesn't matter what software you use, you can still make a hash of an investigation if you don't understand the procedures and process and know what you are doing. I recommend getting some training, first. Then looking at the tools that seem to fit your needs best. A good, thoughtful investigator/examiner using simple, well-understood tools and knowing how to present the evidence can trump an Encase bootcamp grad police officer in court. Harlan Carvey uses a lot of self-designed tools for forensics work. He is well known to the court systems where he works, and can speak plainly and authoritatively to the information he gathers in his investigations. He is the exception and exceptional. Could an untrained person grab a bunch of his tools and do the same? Not likely. Also, never underestimate where an incident will end up. Always approach an incident as though it will end up in court, pay attention to process and chain of evidence and act accordingly. If you are not trained to gather forensic evidence with the tools you have and on the platform in question, stop and bring in a certified digital forensic investigator. It is that important. Guy L. Pace, CISSP Security Administrator Information Technology Division WA State Board for Community and Technical Colleges (SBCTC) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () sbctc edu "Great art is a practice. Turn it into a process and the result is a paint-by-numbers system." Bob Lewis -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne Samardzich Sent: Tuesday, March 30, 2010 9:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Best Forensic Tools? What forensic tools do you use? For copying HD's, looking for data, e-discovery? I've been looking and Encase and Safeback: not sure of the pricing structures. We need some tools that will be relatively easy to use and have the reputation in the legal world for effectiveness and trustworthiness. Best, Wayne Wayne Samardzich Operations Supervisor Information Services Purdue Calumet 219 989 2307 P Think before you print
Current thread:
- Best Forensic Tools? Wayne Samardzich (Mar 30)
- <Possible follow-ups>
- Re: Best Forensic Tools? Guy Pace (Mar 30)
- Re: Best Forensic Tools? Zach Jansen (Mar 30)
- Re: Best Forensic Tools? David Gillett (Mar 30)
- Re: Best Forensic Tools? Wayne Samardzich (Mar 30)
- Re: Best Forensic Tools? Bradley, Stephen W. Mr. (Mar 30)
- Re: Best Forensic Tools? O'Callaghan, Daniel (Mar 30)
- Re: Best Forensic Tools? Patrick Goggins (Mar 30)
- Re: Best Forensic Tools? Eric Case (Mar 30)