7/28/2019 One of the Tenets of Digital Forensics is to Assure That the Original Media is Not Altered

1/2

One of the tenets of digital forensics is to assure that the original media is not altered, and that the methods used to

create forensic quality copies of media and data assure that the integrity of the original is maintained. This is one of

the most important steps. In situations where evidence must be gathered "live," we need to make sure that whatever

process used has been verified beforehand to cause minimal changes to the overall system, and that other

professionals given the same set of circumstances would have used the same methodology. Write blocking /

prevention mechanisms should be used for imaging media, and thoroughly tested beforehand by the examiner to

assure that the mechanism works without fail.

There are many fine training programs available. I would recommend Computer Forensics Core Competencies

(www.csisite.net/training/core.htm), Certified Computer Examiner (www.cce-bootcamp.com/), or NTI's 5 Day

Computer Forensics Course (www.forensics-intl.com/forensic.html) for starters.

All three courses are solid courses which teach the foundation knowledge that every forensic practitioner should

possess. Once you've completed one of these, I recommend that you then take vendor specific training from one of

the major forensic software vendors such as AccessData (www.accessdata.com) or Guidance Software

(www.guidancesoftware.com/). I am also a firm supporter of X-Ways Forensics (www.x-ways.net/training.html), and

believe that every forensic examiner should be able to use the tool. At CSI, we use X-Ways Forensics to authenticate

and verify the results of other tools.

http://www.csisite.net/tpicq.htm

http://www.csisite.net/gettingstarted.htm

http://www.csisite.net/forensics.htm

http://www.cybersecurityforensicanalyst.com/

X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. It

runs under Windows 2000/XP/2003/Vista*/2008*/7*, 32 Bit/64 Bit.

It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic

examiners share data and collaborate with investigators that use X-Ways Investigator.

WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data

recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and

edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital cameracards.

http://www.youtube.com/watch?v=wkaBE1LwNWw

Access Data's Forensic Toolkit (FTK). FTK v3

http://www.csisite.net/tpicq.htmhttp://www.csisite.net/tpicq.htmhttp://www.csisite.net/gettingstarted.htmhttp://www.csisite.net/gettingstarted.htmhttp://www.csisite.net/forensics.htmhttp://www.csisite.net/forensics.htmhttp://www.cybersecurityforensicanalyst.com/http://www.cybersecurityforensicanalyst.com/http://www.accessdata.com/forensictoolkit.htmlhttp://www.accessdata.com/forensictoolkit.htmlhttp://www.accessdata.com/forensictoolkit.htmlhttp://www.accessdata.com/forensictoolkit.htmlhttp://www.cybersecurityforensicanalyst.com/http://www.csisite.net/forensics.htmhttp://www.csisite.net/gettingstarted.htmhttp://www.csisite.net/tpicq.htm

7/28/2019 One of the Tenets of Digital Forensics is to Assure That the Original Media is Not Altered

2/2

FTK now reads DMG archives and includes native viewers for binary and XML Property Lists (PLIST), SQLite

databases, JSON files, B-trees, and Apple Mail. While it is lacking some of the features of the dedicated Mac forensic

suites, these new capabilities allow FTK to hold i ts own and are particularly valuable for organizations that don't have

the volume of cases to support a Mac-based forensic workstation.

REMOTE ACQUISITION

With geographically distributed networks being the norm, remote acquisition and preview is a force multiplier and can

provide significant cost savings over traditional methods. There are several enterprise forensic products designed to

meet this need, but the price can be prohibitive. In FTK v3, some of the functionality from the Access Data enterprise

products has filtered down. Remote access works by connecting to an agent on the target system. A built-in option

allows a temporary agent to be installed via the network, or a manual install can be performed via other means.

Access Data advises that the agent can be installed on all Windows platforms, Windows XP and later. The agent

provides the following capabilities:

Acquire image of physical or logical drive

Acquire memory image

Remote mounting of any of the above

FTK now includes a "Volatile" tab, which integrates memory analysis into the GUI. This initial effort isn't likely to

replace dedicated tools like MandiantMemoryze, but allowing memory analysis to take place together with other

host-based evidence moves it further along into the mainstream and leverages some interesting parts of the forensicsuite.

For you EnCase fans, it should be noted that Takahiro Haruyama has built a set of third-partyEnscriptsto perform

some similar memory analysis tasks in that platform.

http://www.mandiant.com/products/free_software/memoryze/http://www.mandiant.com/products/free_software/memoryze/http://www.mandiant.com/products/free_software/memoryze/http://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://www.mandiant.com/products/free_software/memoryze/