Tyler,
Is this the first case your prosecuting attorney has had relating to
digital data evidence?
If not ask them what or who did the last time and contact them for
advice. If this is first case or bad outcomes came from the previous
case(s) I would suggest contacting your local InfraGard
(http://www.infragard.net/) chapter. Along with that look into any
local universities that may be teaching any type of forensic classes,
they would have at least a brief overview on how to handle the
evidence. An example of what I am talking about is here:
http://www.starkstate.edu/academics/it_tech/cybersecur.htm or
http://www.starkstate.edu/academics/it_tech/cybersecur/digital-forensics.htm
- try and locate the professor teaching these classes, then reach out
with your story asking for advice.
Also look at SANS Computer Forensics and reach out to Rob Lee, he has
produced some really good articles and posts on these topics. Along
with Mr. Lee you might look at Chris Gerling from Securabit podcast, he
has talked about forensic classes and his personal experiences with
digital forensics, he would be a good resource.
As for software, I have only used Helix prior to 3.0 the paid version
and I am unsure if Chris Gerling and Marcus Carey have officially
released Sumo Linux which was to take the place of Helix as an open
source solution.
Contact Scott Moulton, http://www.forensicstrategy.com/ he has a good
number of videos on YouTube showing things he has done, he is also
really nice and helpful if you have questions.
Some other useful things might be:
http://www.myharddrivedied.com/computer_forensics.html
http://www.irongeek.com/i.php?page=videos/advanced-data-recovery-forensic-scott-moulton
http://www.irongeek.com/i.php?page=videos/data-carving-with-photorec-to-retrieve-deleted-files-from-formatted-drives-for-forensics-and-disaster-recovery
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
http://blog.dojosec.com/
http://www.opensourceforensics.org/tools/unix.html
http://www.opensourceforensics.org/tools/windows.html
I know when I started working on live memory forensics local law
enforcement and universities have a hard time giving me a proper chain
of custody procedure because of how new this area is. It did seem
though that everyone I spoke to stressed the importance of chain of
custody and the contamination of the evidence during the recovery.
I am sorry it is not better or more detailed to your question but I hope
others can add to this or something I have will lead you in the right
direction.
Please keep us in the loop as you find your answers, thanks
- Robert
arch3angel
On 12/9/2009 12:55 PM, Tyler Robinson wrote:
Hey all looking for some of the fantastic advice that the pauldotcom
listeners always provide. I am helping our prosecuting attorney with
evidence from a hard drive, I am wondering what software everyone is
using to make the drive images, and if anyone knows of a good website
that has all the proper forms ex. digital chain of custody, and also
some checklists or guidelines. I know that Helix is a widely accepted
linux distro for this sort of thing but dont have much experience with
it. I also have a copy of FTR and have worked with it a bit. So any
advice at all is always appreciated. Thanks again and Thanks to Paul
and Larry for bringing together such a dynamic group of Security
professionals and a great show.
--
Tyler Robinson
Owner of Computer Impressions and Tactical Network Security
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
