Were the winners of this challenge posted somewhere? I can't seem to find it. Just curious. Thanks!

I was told that Illinois recently made some changes that requires computer forensics that will be used in court to be only done by individuals or companies with private investigator licenses. I can't seem to confirm this through a google search. Has anyone run into this? All I can find is an article from January talking about pending legislation in South Carolina.

I could just be blind or having a case of the Mondays, but I can't seem to find a link to the answers...

It really depends on what you're capturing. PATA? SATA? SCSI (I/II/III)? SCA? 1.8" IDE, 2.5" IDE? USB? Flash? SD? When you get down to it there's no cheap solution. You're likely to spend a lot just to cover the bases.

If you really need to budget then review what your most likely acquisitions are going to be. If you have a lot of legacy systems, it'll likely be IDE. Newer systems, SATA. High Availability servers? SCSI. Then price out one and figure something out for the others.

Some nice little devices that we use are the FireFly (SATA->Firewire) hardware write blocks. They're around US$200. You can find them here http://www.digitalintelligence.com/forensicwriteblockers.php along with other forensic write blockers.

If you want to go the cheapest route, use a linux system with auto mounting disabled and buy some USB or Firewire drive enclosures. If you go this route make sure you create a documented procedure for acquiring evidence and follow it every time. You might even go as far as to record the history of your shell commands as part of your digital case file.

If the mac address is your only evidence tying the activity to the host then it's likely to be attacked. If you can provide other evidence that can corroborate the system's mac address that would be helpful. For example, if you have history of mac->ip from your switches, network flow logs and time stamps from something like web cache history on the suspect computer that matches the flow log time stamps, it further reinforces that the mac address at the time was valid.

To be honest though, I don't know how that would work out in court as I've never had to testify yet, however it seems to make logical sense.