We use the digital intelligence ones too.  Helix, Raptor, and a couple of other forensics boot discs work very well too.   You still have to be careful. 

One other we use in case of emergency and as a last option is the usb write protect option in XP and Vista.  You can configure this through Group Policies or the Registry.   There is also software that will switch the setting on and off nicely.   From what I understand, this method has been used a few times and was accepted in court.

Ooooooh.  I like it!   Let it be so known hence forth!   

Jason, I recommend you wikipedia the term immediately before someone else claims it.

Ok, so what are we going to call the act of driving around with a modified cellular device and disabling people's laptops?   

Hmm, dll injection may be an option.   I hadn't thought of that.   What I am trying to do is mainly copy certain files for offline analysis while the machine is running.   For example, I am trying to copy pagefile.sys and SYSTEM (registry).   I don't need to view or delete them from the default location.   

I can get these files by doing a complete live image, but that type of acquisition has other issues, like bit shifting and time requirements.

Thanks.   I suppose the trick would be to figure out how to translate the Windows file Handle to a memory address. 

Well, like I said, I am an Assembly n00b.  Perhaps I phrased this wrong.   I believe that Assembly doesn't use file handles for I/O operation.   If I can access NTFS directly through Assembly, I may be able to bypass Windows file locking APIs.  NTFS doesn't lock files, Windows does it through File Handles.   Does this make more sense?

Hey all,

Pardon my Assembly ignorance.  I am wondering if you can use Assembly language to access files locked for exclusive access by Windows.  For example, can I use Assembly to gain read access to Index.dat or the Swap File?   I am not entirely sure how you go about doing this since Windows locks files based on their Handles.   Since Assembly has lower level access, I am wondering if there are way to circumvent file locks.   Anyone have experience with this?

Numerous hex editors have circumvent file locks by reconstructing the file system on the fly.   I wonder if there is an easier way.

Most of my clients are lawyers.  They tend to favor established relationships and word of mouth advertising.  From my experience, its difficult to get your foot in the door.  Once you are in, you are in until you screw up .   

You also don't want to offer forensic services without proper experience to back it up.  Not only will you lack investigative skills and procedural knowledge, you will get killed on the stand.   Word gets around fast in the forensics community and you won't keep your job for long.

Foremost is an awesome tool.  I really think its data carving ability beats most of the commercial tools.   

One thing you can try is a couple of inexpensive tools that do a search for lost partitions.   You may be lucky and be able to recreate the lost partition.  TestDisk is one such tool.   I have used it before with much success.   If you have access to EnCase or X-Ways Forensics, they both have some nice tools for recovering data.

I think that BillV is on to something there.   I always say that learning the technical aspect is quite easy.   However, investigative skills are tougher to teach.  If you can get attached to an experienced investigator, you will learn more than you can pick up from books and certifications.   The grunt work you would be doing is documentation, chain of custody, etc.  Learning proper procedures and documentation is extremely important.  It will save you on the stand someday.   

I think that if you want to get your foot in the door, you have to be prepared to relocate.   Most forensics jobs are in NYC and DC.   DC has most of the government jobs, NYC has most of the consulting companies.   There are other markets, but they are not as saturated.

I am actually using Hyper-V in production for a client.   So far, so good.   I have to say, I am impressed.   Hyper-V was my second choice to now free VmWare ESXi, but ESXi is too limited in hardware support.   Hyper-V performs quite nicely, especially on 2008 core install.  My only complain so far, is that it takes forever to install a guest OS.

I completely agree with ElCapitan, go for Fed employment.   Secret Service is one option, FBI, Customs, IRS, etc, are others.  A word of caution, you almost never get to be a forensics investigator from the start.   You have to go to Quantico first.   You then become a regular agent, eventually graduating to an investigator.   You can then request to be transferred into a forensics squad.  You will always remain an agent.  In case something major happens, you will be recalled.   You DO want to be an agent.  Agents get higher salary, better benefits, and first chance at juice assignments.   From what I have been told by ex-feds, agents look down on civilian employees.

Certifications are important.   For Federal Agents, the premier cert is CFCE, but it's only available to law enforcement.   For private sector, the cert of choice is CCE.   Interestingly enough, A+ certification still applies and is valued.   EnCE certification is also good.

I also agree that a BS degree is important.   Criminal justice, Information Security, Accounting degrees are highly sought after. 

If you live in a wealthy area, local police force may be an option.  Again, you are a cop first, then you become an investigator. 

Sounds like you are on the right track.  Stay in school and finish your BS degree.   Figure out what kind of investigation you want to concentrate on.  If you like accounting, IRS is good agency.  If you prefer criminal, FBI and Secret Service are great agencies.   Once you pass basic training, it's not unreasonable for you to be making six figures within 5 to 7 years, depending on your level ambition.   After that, the paygrades level out.   At this point, some Feds leave and enter the private sector.  There are few large forensics shops that snatch up Feds quickly.   They are great for gaining consulting experience, but they do not typically pay well.   Boutique shops pay better.   You have to do your research to make sure the shop is stable.  Beware of non-competes.

Anyway, those are my two cents.  I am probably rambling too much.  Who knows, maybe by the time you are done with school, EnCase 10.0 will have a single button, "Solve Case."  The main point is that you have to become an investigator.  Technical skills can be taught, by investigative skills are much more difficult to acquire.

Just out of curiosity, does the "low level format" concept still exist?   I haven't seen a BIOS offer that option in years.   

I don't think that you need to DoD wipe the drive.   I don't think that anything more then 1 complete wipe pass is necessary.   If you write zeros to every sector of the drive, traditional data recovery becomes almost impossible.   The trick is to write zeros to EVERY sector of the drive.

That works, thanks!   Looks like it's the link from the portal.eccouncil.org site that defaults to plain HTTP, not HTTPS.

How about something online?   Drexel and UMass both offer a good program in Information Security, at least they did last time I checked.