Digital Forensic Software

[karl.schuttler at gmail.com (Karl Schuttler)]

FTK Imager is a pretty good (and free) imaging software. Digital chain
of custody is very similar to your regular chain of custody; there
isn't any standard form for it. Attached is one I whipped up for my
digital forensics class in openoffice calc, based off of
http://www.precisecyberforensics.com/CoC.html. I've also attached it
in excel format, but I don't know if the formatting gets messed up.

The Forensic Examination of Digital Evidence: A Guide for Law
Enforcement (http://www.ncjrs.gov/pdffiles1/nij/199408.pdf) is a good
start for general procedures in the seizure of digital evidence. It
also has some nice worksheets in the middle of it used by the DEA.

Finally, I assume that the prosecutor would be aware of this, but some
states have laws in regards to who can perform a forensic evaluation.
In MI, for example, there is some draconian criteria you have to
follow to be legit, such as the requirement to have a PI license; if
you perform digital forensics there and do not follow their
guidelines, you are committing a felony. It would be worthwhile to
make sure any work you're doing for the state isn't illegal.
http://www.forensicmag.com/articles.asp?pid=273 lists the laws for
Arizona, California, and South Carolina.

Hope this helped,
Karl

On Wed, Dec 9, 2009 at 12:55 PM, Tyler Robinson <pcimpressions at gmail.com> wrote:
> Hey all looking for some of the fantastic advice that the pauldotcom
> listeners always provide. I am helping our prosecuting attorney with
> evidence from a hard drive, I am wondering what software everyone is using
> to make the drive images, and if anyone knows of a good website that has all
> the proper forms ex. digital chain of custody, and also some checklists or
> guidelines. I know that Helix is a widely accepted linux distro for this
> sort of thing but dont have much experience with it. I also have a copy of
> FTR and have worked with it a bit. So any advice at all is always
> appreciated. Thanks again and Thanks to Paul and Larry for bringing together
> such a dynamic group of Security professionals and a great show.
>
> --
> Tyler Robinson
> Owner of Computer Impressions and Tactical Network Security
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Chain of Custody form.xls
Type: application/vnd.ms-excel
Size: 17920 bytes
Desc: not available
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091209/9426772c/attachment-0001.xls 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chain of custody form.pdf
Type: application/pdf
Size: 39112 bytes
Desc: not available
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091209/9426772c/attachment-0002.pdf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Chain of Custody form.ods
Type: application/vnd.oasis.opendocument.spreadsheet
Size: 16999 bytes
Desc: not available
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091209/9426772c/attachment-0001.ods 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 199408.pdf
Type: application/pdf
Size: 694530 bytes
Desc: not available
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091209/9426772c/attachment-0003.pdf