Matthew,
Sounds like a great idea to me. Mark??? Do you have any server space where
we could house such a site? I have done some research on available domains,
and it seems that everyone wants a *forensics.* domain. Most of these don't
have any content on them. I did find one on www.computerforensics.net who
is a retired Oakland CA police officer who charges $10k a day to teach DOS
commands and how to recognize file extensions. I did notice that he
utilizes both "Expert Witness" and "Safeback" in his lectures. I'd hate to
be one of his students, or I'd be REALLY pissed at the end of that one day.
It seems that most of the sites are companies that are touting their warez,
not a central repository of information. I do not personally have any CJ
experience, but hey, that has never stopped me on anything else.
Jason
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 22, 2000 4:27 PM
To: Jason Sheffield
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
'[EMAIL PROTECTED]'
Subject: RE: Forensic ToolKit Recommendation
Jason
Holly Cow, I'm participating...
I like what I've just seen, although I'm behind on this thread I
think it's the first time it's been demonstrated this way. Maybe it
wasn't even intentional. It was the "First and Foremost" comment, the
start of a ten commandments or industry best practices policy/model. I
wonder if Mark would be willing to host a "Line Item" web site that we
could use to house an accumulation of best practices, especially items
that have been tested in a military or civilian court of law. We could
even include a section with a chart that compares the different toolsets,
their interoperability, pros and cons. Like in the IDS list, we should
set the issue of cost aside.
I've suggest and implemented different process improvements in the
handling of forensics where repudiation is required. These cases included
corporate HR requirements and AFOSI investigations/inquiries, we've come a
long way, yet still no "Industry Best Practices". One of the practices
you listed below was the attention paid to all unused partition space.
What about known stego signatures? There's much, much more, but we have
to keep track of these line items in a central store for all of us to
enjoy the full benefits.
Thanks,
Jason Sheffield <[EMAIL PROTECTED]>
09/15/2000 08:20 PM
To: "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: RE: Forensic ToolKit Recommendation
Mark,
The latest (Sept. 2000) edition of SC Magazine (www.scmagazine.com) has
just an article on this subject. "dd" was given the SC "Best Buy" award
for
it's capabilities, although it lacks a strong restore mechanism. SnapBack
DatArrest v 4.12 from Columbia Data Products (www.cdp.com) received the SC
"Recommended" award even though it does not support Disk2Disk imaging. The
one product that was not reviewed that I have had personal experience and
training on is ASR Data's Expert Witness (www.asrdata.com). During the
October '99 SANS conference in New Orleans, Warren Kruse, Lucent's
Investigations Manager taught an evening session on computer forensics,
and
Expert Witness was used and I was one of the lucky few that was able to
attend (it filled up quickly). This tool does pretty much all of the items
you included in the list.
1. First and foremost - Preserve chain of custody
- Does an MD5 hash on each sector copied to verify
integrity.
2. EW2000 has support for several OS's (Windows, Linux, Etc.) and
media types
- Hard drives, floppy drives, and other removable media.
3. Does a sector-by-sector copy of every sector from the original
media
- Includes all unused and unpartitioned space.
4. Relies on a separate host OS to run so as not to modify any
original evidence.
- Needs to have the Evidence drive mounted to create image
files
5. A hex-style editor for reading each bit on the drive with the
ability to show file properties.
6. Provides an excellent set of Boolean tools for string search
capabilities and allows you to create "Case" files which have areas for
bookmarking and investigator notes.
>From my notes, I have that Warren also recommended a site (www.dmares.com)
that has several forensics tools and quite a few links to other forensics
sites.
All of this can be accomplished with dd, grep, strings, and vi, but it's
nice to have it in a unified app with good search and notation
capabilities.
Remember in an investigation, first, preserve Chain of Custody, second,
NEVER work on the original evidence, and finally, DOCUMENT, DOCUMENT,
DOCUMENT. "The DOJ guidelines recommend that experts be used in all
computer seizures and searches"
Regards,
Jason Sheffield
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 15, 2000 3:05 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; Jason Sheffield;
[EMAIL PROTECTED]
Subject: Forensic ToolKit Recommendation
<snip>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
