Jason,
Now understand the reason for the post. I also read the article in SC
magazine, and wasn't quite sure regarding all the steps they mentioned.
The chain of evidence is a very big one. I know a few firms that used to
mark the suspected drive with a dot label. The problem that I stated with
this is that there is a possibility of where the dot label originated from,
blah, blah. The whol issue is that the suspected drive cannot be added to
with anything if one wants to introduce a suspected drive as evidence.
/mark
At 11:20 PM 9/15/00 -0400, Jason Sheffield wrote:
>Mark,
> The latest (Sept. 2000) edition of SC Magazine (www.scmagazine.com) has
>just an article on this subject. "dd" was given the SC "Best Buy" award for
>it's capabilities, although it lacks a strong restore mechanism. SnapBack
>DatArrest v 4.12 from Columbia Data Products (www.cdp.com) received the SC
>"Recommended" award even though it does not support Disk2Disk imaging. The
>one product that was not reviewed that I have had personal experience and
>training on is ASR Data's Expert Witness (www.asrdata.com). During the
>October '99 SANS conference in New Orleans, Warren Kruse, Lucent's
>Investigations Manager taught an evening session on computer forensics, and
>Expert Witness was used and I was one of the lucky few that was able to
>attend (it filled up quickly). This tool does pretty much all of the items
>you included in the list.
>
> 1. First and foremost - Preserve chain of custody
> - Does an MD5 hash on each sector copied to verify integrity.
> 2. EW2000 has support for several OS's (Windows, Linux, Etc.) and
>media types
> - Hard drives, floppy drives, and other removable media.
> 3. Does a sector-by-sector copy of every sector from the original
>media
> - Includes all unused and unpartitioned space.
> 4. Relies on a separate host OS to run so as not to modify any
>original evidence.
> - Needs to have the Evidence drive mounted to create image
>files
> 5. A hex-style editor for reading each bit on the drive with the
>ability to show file properties.
> 6. Provides an excellent set of Boolean tools for string search
>capabilities and allows you to create "Case" files which have areas for
>bookmarking and investigator notes.
>
> >From my notes, I have that Warren also recommended a site (www.dmares.com)
>that has several forensics tools and quite a few links to other forensics
>sites.
>
>All of this can be accomplished with dd, grep, strings, and vi, but it's
>nice to have it in a unified app with good search and notation capabilities.
>Remember in an investigation, first, preserve Chain of Custody, second,
>NEVER work on the original evidence, and finally, DOCUMENT, DOCUMENT,
>DOCUMENT. "The DOJ guidelines recommend that experts be used in all
>computer seizures and searches"
>
>Regards,
>Jason Sheffield
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Friday, September 15, 2000 3:05 PM
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]; Jason Sheffield;
>[EMAIL PROTECTED]
>Subject: Forensic ToolKit Recommendation
>
><snip>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
