Although you can collect evidence from a computer using dd, integrity
check it using md5, and analyse it as you please afterwards, the process
is cumbersome, time consuming and not as reliable as specialized evidence
processing software.
EnCase is specifically designed for collecting evidence and is very useful
in the collection, documentation, and analysis phases. It has been widely
accepted by courts - a key consideration if you intend to carry an
investigation through to its logical conclusion. In the past,
investigators who did not collect evidence from computers using the best
available forensic tools have been faulted when the evidence is presented
in court.
EnCase (http://www.guidancesoftware.com) and Expert Witness
(http://www.asrdata.com) come from the same code base but EnCase appears
to have a better development team and have added many powerful features to
the EnCase product in the past year that are not available in Expert
Witness.
Safeback (http://www.sydex.com/) in combination with Ilook
(http://www.spnc.demon.co.uk/ilook/ilook.htm) have similar capabilities
but are only available to law enforcement.
DIBS (http://www.computer-forensics.com/), ForensiX
(http://all.net/ForensiX/index.html), and The Coroner's Toolkit
(http://www.porcupine.org/forensics/) are other tools that can be used to
collect, document and analyse evidence.
The Coroner's Toolkit is of particular interest because there are some
novel concepts in the approach that Venema and Farmer have taken to
collecting evidence from a computer. I expect that this will cause some
controversy and change the way that many experts operate. For one, this
toolkit breaks the long standing rule - do not operate the suspect system.
There are many good reasons to break this rule, including: you must
operate the computer to determine if a crime has been committed; you want
to capture data that will be lost when the system is powered down; you
cannot power down the system.
Eoghan
On Fri, 15 Sep 2000, Frank Knobbe wrote:
> 34024
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone had real world experience with EnCase (from Guidance
> Software, http://www.guidancesoftware.com)?
>
> > -----Original Message-----
> > From: Jason Sheffield [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, September 15, 2000 10:37 PM
> >
> > [...]
> > 1. First and foremost - Preserve chain of custody
>
> How can software do that?
>
>
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBOcL6QERKym0LjhFcEQIWrQCg4zcjlGJBfeoAtLTprKjaGC/VjsAAoIkx
> rWLVRCVObWfn4gC9Na6llwUE
> =oORs
> -----END PGP SIGNATURE-----
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the me
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
