As was mentioned earlier, if the evidence is ever going to be used in a court (or similar venue), you must maintain a good chain of evidence and do your investigative work with a forensic copy that was made from the original with a write-protection device (or similar technology) used between the source and the machine doing the copying.
On Wed, Apr 30, 2014 at 2:29 PM, Matthew W. Ross <[email protected]>wrote: > If at all possible, I leave the suspect drive untouched. I have read that > you can compromise your evidence if you try to do your work on the drive > itself. This makes sense: any deleted items still exist on the drive until > the free'd up sectors are overwritten by the drives use. > > I will usually make a backup using Redo Backup, which is a nice livecd (Or > PXE boot... Hrm, I need to work on that...) for making a sector-for-sector > copy. It allows me to keep a copy of the drive on a server, then create my > forensics target on a spare drive. I put the spare drive into a different > computer as a slave to run my tests. > > Using this method, I can recover deleted files from the forensics copy of > the drive. > > > --Matt Ross > Ephrata School District > > > Mike Tobias <[email protected]> , 4/30/2014 9:49 AM: > > I’m noting these recommendations too, even though I didn’t start the > thread. Interesting that you would run this on the copy and not the > original. Are you making sector by sector copies that also somehow copy > deleted files to the target? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Matthew W. Ross > *Sent:* Wednesday, April 30, 2014 12:19 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Forensic Software Undelete / Recovery > > > > Pro-active? No idea. > > > > When we have to collect evidence, we do the following: > > > > 1. Confiscate the hardware. > > 2. Make copies. > > 3. Run discovery software. If you can, do this on the copy you made, not > the original. > > > > The software we use is OSForensics, the free edition. I'm sure there are > some much beefier programs out there. > > > > Also useful (for us in particular) is the BrowsingHistoryView from > NirSoft. It allows you to quickly create a view of all browsing history on > a computer broken down by user, which is often what we need to investigate. > > > > > > --Matt Ross > Ephrata School District > > John Bonner <[email protected]> , 4/29/2014 8:44 PM: > > Hello, > > I am looking for some recommendations on forensics recovery software. I > (the company really) am willing to throw some $$$ at it as well. We often > (not always) have proprietary / patentable information exposed to us by our > clients and looking for a way to handle a situation should it arise with an > employee. > > I am interested in two things. > > > 1. Postumous recovery. Deleted files / browser cache / history to see > what sites were visited / recover deleted files and such. > 2. Pro-active monitoring that we could incorporate into our base > install. Something that runs unbeknownst and perhaps when files are > "deleted" really are moved to a secret partition or along those lines. > > > I personally have used r-tools and have been pleased with the results but > I think the execs are looking for a more enterprise grade product. > > Thank You for your thoughts / recommendations > > JB > >
