I believe some of these are already out there and in circulation, albeit in
a limited set of hands...I personally don't get into such things (though I
would like to) but based on a conversation I had with somone about 2 yrs ago
who did computer forensics...they booted on a floppy which loaded software
to copy the hard drive(s) off to tape in a block fashion, so as not to
change any file stamps, and this tape was then used to restore to a lab
machine of the same type (he said they had stacks of machines so as to be
able to duplicate closely most anything from top of the line to PS-1's and
other assorted antiques) From here they could run a barrage of utilities
against the restored data for analysis, and if that procedure re-stamped the
data, simply restore again a 'clean' copy...and yes, he said the parrallel
port took forever to load the disk but that was all they had to work with
without installing anything on the system. Methods might be more advanced
today but I imagine follow the same general procedure. I couldn't pry any
more detail than that out of him...
It is an area that sounds interesting though...
As an added feature one could actually look at WHAT was modified when, to
make an educated guess as to WHAT was done...meaning if file x, file y, and
file z were modified at the same time, maybe they re-installed the
networking components? or maybe all the logging on all the assorted firewall
software on that machine STOPPED at time X, and the crime was at time Y...or
something like that...it would be very hard to do and would be OS specific,
or even application specific but might yeild some usefull information...some
sort of database to correlate the date/timestamps on all the files on a
system and then jump to conclusions about it...
gee, I ramble...
Egoslayer1
***
>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>CC: [EMAIL PROTECTED], Jason Sheffield <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED]
>Subject: Forensic ToolKit Recommendation
>Date: Fri, 15 Sep 2000 13:05:09 -0700
>
>What would people recommend for a Information Security Forensic Toolkit??
>
>Something that does the following:
>
>A software utility that would protect the subject computer system during
>the forensic examination from any possible alteration, damage, data
>corruption, or virus introduction.
>
>A software utility that would discovers all files on the subject system.
>This includes existing normal files, deleted yet remaining files, hidden
>files, password-protected files, and encrypted files.
>
>Another utility that would recover all (or as much as possible) of
>discovered deleted files.
>
>A data viewer that would reveal (to the extent possible) the contents of
>hidden files as well as temporary or swap files used by both the
>application programs and the operating system.
>
>A report utility that would produce number of accesses, etc (if possible
>and if legally appropriate) the contents of protected or encrypted files.
>
>An analysis utility that would analyze all possibly relevant data found in
>special (and typically inaccessible) areas of a disk. This includes but is
>not limited to what is called 'unallocated' space on a disk (currently
>unused, but possibly the repository of previous data that is relevant
>evidence), as well as 'slack' space in a file (the remnant area at the end
>of a file, in the last assigned disk cluster, that is unused by current
>file data, but once again may be a possible site for previously created and
>relevant evidence).
>
>A report utility that would prints out an overall analysis in some sort of
>pre-defined format.
>
>If someone was developing this type of tool for the InfoSec community,
>would this type of tool be of much interest on either the Linux or the
>Windows platform. (i.e Windows 9x, NT, 2k)
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
