One of the Tenets of Digital Forensics is to Assure That the Original Media is Not Altered
Transcript of One of the Tenets of Digital Forensics is to Assure That the Original Media is Not Altered
-
7/28/2019 One of the Tenets of Digital Forensics is to Assure That the Original Media is Not Altered
1/2
One of the tenets of digital forensics is to assure that the original media is not altered, and that the methods used to
create forensic quality copies of media and data assure that the integrity of the original is maintained. This is one of
the most important steps. In situations where evidence must be gathered "live," we need to make sure that whatever
process used has been verified beforehand to cause minimal changes to the overall system, and that other
professionals given the same set of circumstances would have used the same methodology. Write blocking /
prevention mechanisms should be used for imaging media, and thoroughly tested beforehand by the examiner to
assure that the mechanism works without fail.
There are many fine training programs available. I would recommend Computer Forensics Core Competencies
(www.csisite.net/training/core.htm), Certified Computer Examiner (www.cce-bootcamp.com/), or NTI's 5 Day
Computer Forensics Course (www.forensics-intl.com/forensic.html) for starters.
All three courses are solid courses which teach the foundation knowledge that every forensic practitioner should
possess. Once you've completed one of these, I recommend that you then take vendor specific training from one of
the major forensic software vendors such as AccessData (www.accessdata.com) or Guidance Software
(www.guidancesoftware.com/). I am also a firm supporter of X-Ways Forensics (www.x-ways.net/training.html), and
believe that every forensic examiner should be able to use the tool. At CSI, we use X-Ways Forensics to authenticate
and verify the results of other tools.
http://www.csisite.net/tpicq.htm
http://www.csisite.net/gettingstarted.htm
http://www.csisite.net/forensics.htm
http://www.cybersecurityforensicanalyst.com/
X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. It
runs under Windows 2000/XP/2003/Vista*/2008*/7*, 32 Bit/64 Bit.
It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic
examiners share data and collaborate with investigators that use X-Ways Investigator.
WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data
recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and
edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital cameracards.
http://www.youtube.com/watch?v=wkaBE1LwNWw
Access Data's Forensic Toolkit (FTK). FTK v3
http://www.csisite.net/tpicq.htmhttp://www.csisite.net/tpicq.htmhttp://www.csisite.net/gettingstarted.htmhttp://www.csisite.net/gettingstarted.htmhttp://www.csisite.net/forensics.htmhttp://www.csisite.net/forensics.htmhttp://www.cybersecurityforensicanalyst.com/http://www.cybersecurityforensicanalyst.com/http://www.accessdata.com/forensictoolkit.htmlhttp://www.accessdata.com/forensictoolkit.htmlhttp://www.accessdata.com/forensictoolkit.htmlhttp://www.accessdata.com/forensictoolkit.htmlhttp://www.cybersecurityforensicanalyst.com/http://www.csisite.net/forensics.htmhttp://www.csisite.net/gettingstarted.htmhttp://www.csisite.net/tpicq.htm -
7/28/2019 One of the Tenets of Digital Forensics is to Assure That the Original Media is Not Altered
2/2
FTK now reads DMG archives and includes native viewers for binary and XML Property Lists (PLIST), SQLite
databases, JSON files, B-trees, and Apple Mail. While it is lacking some of the features of the dedicated Mac forensic
suites, these new capabilities allow FTK to hold i ts own and are particularly valuable for organizations that don't have
the volume of cases to support a Mac-based forensic workstation.
REMOTE ACQUISITION
With geographically distributed networks being the norm, remote acquisition and preview is a force multiplier and can
provide significant cost savings over traditional methods. There are several enterprise forensic products designed to
meet this need, but the price can be prohibitive. In FTK v3, some of the functionality from the Access Data enterprise
products has filtered down. Remote access works by connecting to an agent on the target system. A built-in option
allows a temporary agent to be installed via the network, or a manual install can be performed via other means.
Access Data advises that the agent can be installed on all Windows platforms, Windows XP and later. The agent
provides the following capabilities:
Acquire image of physical or logical drive
Acquire memory image
Remote mounting of any of the above
FTK now includes a "Volatile" tab, which integrates memory analysis into the GUI. This initial effort isn't likely to
replace dedicated tools like MandiantMemoryze, but allowing memory analysis to take place together with other
host-based evidence moves it further along into the mainstream and leverages some interesting parts of the forensicsuite.
For you EnCase fans, it should be noted that Takahiro Haruyama has built a set of third-partyEnscriptsto perform
some similar memory analysis tasks in that platform.
http://www.mandiant.com/products/free_software/memoryze/http://www.mandiant.com/products/free_software/memoryze/http://www.mandiant.com/products/free_software/memoryze/http://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.htmlhttp://www.mandiant.com/products/free_software/memoryze/