All great advice. I just did some demos for the sysadmins at work on several Forensic Image packages available. Here's some notes that might help and save you some time.
Helix Pro 3 - must purchase Easy to use Can be used as a Live or Bootable CD Includes hashing capabilities. Includes a “Receiver” server for receiving multiple images on a network. Supported on Windows, Mac, and Linux Support via Forums and Email Includes auto generated Chain of Custody Forms Bootable CD - Marks all mounted drives as read only by default Live CD - Run from within OS, touchess OS but they have this well documented Some notes on using Bootable Option (if you have issues) Enable Safe Mode Video (F4) and acpi=off “advanced Configuration and Power Interface” (F6) on the boot menu. Note: You Must manually mount destination disk as read/write via interface Raptor - free at http://www.raptorforensics.com Bootable CD raw image utility based on Ubuntu, interface a bit more clumsy compared to Helix but it works and it is free Dcfldd - free at http://dcfldd.sourceforge.net/ Live CD raw image utility - windows or linux -cmd line only Live View 0.7b - free (can convert Image files into a VM) at http://liveview.sourceforge.net/ provides an easy to use interface that can create read only .vmdk from a raw image or physical disk. Will disable networking within VMWare auto Can run a cryptographic checksum on the image before and after booting to verify the integrity of the evidence Support for all versions of Windows and some Linux Supports VMWare Workstation 5.5+ or Server 1.X (does not support Server 2.X yet) Can be used with a single image file or split images Also FTK rocks for mounting read only and carving out what you want. It also has a "lite" version that will run off a USB device Hope this helps. Tim On Wed, Dec 9, 2009 at 5:32 PM, Tyler Robinson <[email protected]> wrote: > Thank you guys so much it is awesome to have such a fantastic resource to > turn to all the advice is really welcome looks like tons of reading tonight, > the counties I work for are a bit behind when it comes to security and > proper procedure that was the reason I am here, so ya there digital evidence > procedure is non existant I am hoping to get them to send me to a sans > training hopefully vegas but until then I have to learn on the fly so again > I apreciate all the feedback so quickly. > > On Dec 9, 2009 3:16 PM, "xgermx" <[email protected]> wrote: > > If this is going to court I would leave it to a professional, but if you > really want to get your hands dirty EnCase is pretty much the digital > forensics standard and FTK is a close second. > > > On Wed, Dec 9, 2009 at 11:55 AM, Tyler Robinson <[email protected]> > wrote: >> >> > > Hey all looking for some of the fantastic advice that the pauldotcom >> > > listeners always provide. I... >> >> > _______________________________________________ > Pauldotcom mailing >> > list > [email protected]... > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
