Digital Forensic Software

[arch3angel at gmail.com (Robert Miller)]

Tyler,

Is this the first case your prosecuting attorney has had relating to 
digital data evidence?

If not ask them what or who did the last time and contact them for 
advice.  If this is first case or bad outcomes came from the previous 
case(s) I would suggest contacting your local InfraGard 
(http://www.infragard.net/) chapter.  Along with that look into any 
local universities that may be teaching any type of forensic classes, 
they would have at least a brief overview on how to handle the 
evidence.  An example of what I am talking about is here: 
http://www.starkstate.edu/academics/it_tech/cybersecur.htm or 
http://www.starkstate.edu/academics/it_tech/cybersecur/digital-forensics.htm 
- try and locate the professor teaching these classes, then reach out 
with your story asking for advice.

Also look at SANS Computer Forensics and reach out to Rob Lee, he has 
produced some really good articles and posts on these topics.  Along 
with Mr. Lee you might look at Chris Gerling from Securabit podcast, he 
has talked about forensic classes and his personal experiences with 
digital forensics, he would be a good resource.

As for software, I have only used Helix prior to 3.0 the paid version 
and I am unsure if Chris Gerling and Marcus Carey have officially 
released Sumo Linux which was to take the place of Helix as an open 
source solution.

Contact Scott Moulton, http://www.forensicstrategy.com/ he has a good 
number of videos on YouTube showing things he has done, he is also 
really nice and helpful if you have questions.

Some other useful things might be:

http://www.myharddrivedied.com/computer_forensics.html
http://www.irongeek.com/i.php?page=videos/advanced-data-recovery-forensic-scott-moulton
http://www.irongeek.com/i.php?page=videos/data-carving-with-photorec-to-retrieve-deleted-files-from-formatted-drives-for-forensics-and-disaster-recovery
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
http://blog.dojosec.com/
http://www.opensourceforensics.org/tools/unix.html
http://www.opensourceforensics.org/tools/windows.html

I know when I started working on live memory forensics local law 
enforcement and universities have a hard time giving me a proper chain 
of custody procedure because of how new this area is.  It did seem 
though that everyone I spoke to stressed the importance of chain of 
custody and the contamination of the evidence during the recovery.

I am sorry it is not better or more detailed to your question but I hope 
others can add to this or something I have will lead you in the right 
direction.

Please keep us in the loop as you find your answers, thanks

- Robert
arch3angel

On 12/9/2009 12:55 PM, Tyler Robinson wrote:
> Hey all looking for some of the fantastic advice that the pauldotcom 
> listeners always provide. I am helping our prosecuting attorney with 
> evidence from a hard drive, I am wondering what software everyone is 
> using to make the drive images, and if anyone knows of a good website 
> that has all the proper forms ex. digital chain of custody, and also 
> some checklists or guidelines. I know that Helix is a widely accepted 
> linux distro for this sort of thing but dont have much experience with 
> it. I also have a copy of FTR and have worked with it a bit. So any 
> advice at all is always appreciated. Thanks again and Thanks to Paul 
> and Larry for bringing together such a dynamic group of Security 
> professionals and a great show.
>
> -- 
> Tyler Robinson
> Owner of Computer Impressions and Tactical Network Security
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091209/cd12953e/attachment.htm