Mark,
The latest (Sept. 2000) edition of SC Magazine (www.scmagazine.com) has
just an article on this subject. "dd" was given the SC "Best Buy" award for
it's capabilities, although it lacks a strong restore mechanism. SnapBack
DatArrest v 4.12 from Columbia Data Products (www.cdp.com) received the SC
"Recommended" award even though it does not support Disk2Disk imaging. The
one product that was not reviewed that I have had personal experience and
training on is ASR Data's Expert Witness (www.asrdata.com). During the
October '99 SANS conference in New Orleans, Warren Kruse, Lucent's
Investigations Manager taught an evening session on computer forensics, and
Expert Witness was used and I was one of the lucky few that was able to
attend (it filled up quickly). This tool does pretty much all of the items
you included in the list.
1. First and foremost - Preserve chain of custody
- Does an MD5 hash on each sector copied to verify integrity.
2. EW2000 has support for several OS's (Windows, Linux, Etc.) and
media types
- Hard drives, floppy drives, and other removable media.
3. Does a sector-by-sector copy of every sector from the original
media
- Includes all unused and unpartitioned space.
4. Relies on a separate host OS to run so as not to modify any
original evidence.
- Needs to have the Evidence drive mounted to create image
files
5. A hex-style editor for reading each bit on the drive with the
ability to show file properties.
6. Provides an excellent set of Boolean tools for string search
capabilities and allows you to create "Case" files which have areas for
bookmarking and investigator notes.
>From my notes, I have that Warren also recommended a site (www.dmares.com)
that has several forensics tools and quite a few links to other forensics
sites.
All of this can be accomplished with dd, grep, strings, and vi, but it's
nice to have it in a unified app with good search and notation capabilities.
Remember in an investigation, first, preserve Chain of Custody, second,
NEVER work on the original evidence, and finally, DOCUMENT, DOCUMENT,
DOCUMENT. "The DOJ guidelines recommend that experts be used in all
computer seizures and searches"
Regards,
Jason Sheffield
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 15, 2000 3:05 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; Jason Sheffield;
[EMAIL PROTECTED]
Subject: Forensic ToolKit Recommendation
<snip>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
