I just finished reading it (although, i did not investigate references to other, existing portions of law) and i fail to see how a computer repairperson (performing normal, daily repair/installation work) would really fall under this.  I also found that it would appear to me that a computer forensics investigator may be exempt (although I think they would have to be a licensed engineer) under


Of course I'm not a lawyer, and i don't know that many computer forensics investigators are licensed engineers (being of a computer engineering background, I know that although I could take that route, I have no intention/desire to do so).  I'm glad I am not planning on moving to Texas

You assume correctly.  However they do have writeblockers which are significantly less expensive than some of the others.  If you go to the WiebeTech homepage and click on the Forensics option in the side menu, you will access their Forensic docks.  Read the features carefully as they vary in terms of which ports are writeblocked and which aren't.  I haven't used any of these, but am keeping them in mind for future purchases.

And I would say that yes, technically you could use a non-write blocked adapter with a software writeblock, but I have always been taught to use a hardware blocker if at all possible.  It seems to me that there are more potential accidents with a software-based writeblocker (such as software crash, or computer reboot resulting in some drive modification prior to the writeblock software starting back up, etc.)

Recently we acquired funding to purchase a new fileserver/forensics workstation. Here is what we have:

ASUS M3N-HD/HDMI motherboard
AMD Phenom 9550 2.2 GHz Quad-Core processor
4 GB DDR2 1066 RAM
6 - Seagate Barracuda 1 TB hard drives
Western Digital 120 GB IDE drive (for operating system)
other hardware as needed

Here is what we want to do:
120 GB drive is the main operating system drive
6x1TB drives in RAID 5 array (approx. 4.5 TB when finished) is storage for current / recent cases.

Currently all of our forensic workstations run Win XP Pro SP2 (32-bit).
I would like to keep it that way, however, XP (32-bit) doesn't support a single drive over 2TB because of the way MBR works and of course, the raid array shows up in Windows as a single 4.54 TB drive.

So here are the options I've come up with:

1. Temporarily install Vista and get the raid array set up as GPT with a single NTFS partition, then reinstall Win XP SP2 and use GPT Mounter by Mediafour to mount the drive.

2. Realize that the world moves on and just switch to Vista Enterprise as the OS for the new system. Should have drivers for all the hardware, but question how software will like this.

3. Switch to Windows Server 2003 SP1 (or greater). Not sure about drivers, will have to look. Also unsure about software.



So, my question is - what would you recommend? Does anyone have experience with a Vista or Server 2003 forensics workstation? We primarily use EnCase v5.05j for our forensics work with
NetAnalysis 1.36,
FTK Imager 2.3,
SnagIt 7.1,
CaseNotes 1.0.2007.7
Paraben Email Examiner 5.0
BitPim 0.9.12
Flint Software's Case Manager 1.2.6
QuickView Plus 6.0.1
and other miscellaneous tools which are rarely used.

If you have any experience with any of the above software working or not working in either Vista Enterprise or Server 2003 SP1 (or later), I would appreciate it. Also if you have experience with the 64-bit versions of these operating systems and whether they would be beneficial or not, I'd like to hear it. I know that for Vista, 64-bit is needed to take full advantage of the 4 GB of RAM.

My name is Daniel Harkness. I am a graduate student at Iowa State University. I have a strong interest in Computer Forensics, and am currently enrolled in a steganography (information hiding) course. For my term project I am doing some background research for a possible funding proposal to create a steganography toolkit geared towards the Computer Forensics field. As part of this background research, I would like to get an idea of how much (if any) steganography has been seen in the field thus far, and what your opinions on the topic are.

I have created a brief, anonymous survey and would appreciate your assistance. The questions on the survey ask about your experiences with steganography and what you think will be important or useful in the future. The survey consists of 10 questions (although some have multiple parts) and are a mixture of multiple choice and short answer questions. I would expect that the survey could take from 1 - 30 minutes depending on whether you have experienced steganography or not and how much detail you go into. All questions are optional and you are invited to participate even if you have no experience with steganography. No personal data will be collected.

The survey can be accessed at:
http://www.questionpro.com/akira/TakeSurvey?id=943751
(To moderator: If direct links are not allowed, please remove the link and let me know.)

Thank you very much for your time, you can PM me if you have any questions.

Hey all,
Thanks for the suggestion and for those of you who voted on the survey.  I definitely still welcome more comments, but figured I would pass on my decision (based off of posts in other forums, and discussions with some other computer forensics investigators).

I am going to be heading to ChicagoCon 2008s for the Conference Only portion on Saturday to take in the presentations and hopefully do some networking.  And then I am going to be working on some self-study and applying to take the CCE exam this summer.

Hello All and Thank You for your time,

First an introduction:
--------------------
I am a Master's student in Computer Engineering and Information Assurance at Iowa State University.  I just completed two Bachelor's degrees in Computer Engineering and Computer Science.  Throughout my 7 years of college I have been involved in computer and network security through both work and student organizations.

As part of my graduate assistantship, I have been assisting in a law-enforcement computer forensics lab and assisting with computer forensics investigations.  I have decided that this is the career that I want to pursue. 

I am planning on graduating in December of this year and would like to work in (or within a couple hours of) the Chicago area.  I would be interested in either the law-enforcement or civilian path.
--------------------

Now, the questions:

1) Would obtaining a certification now be particularly helpful in my career search? (As mentioned above, i do have some experience and plan to continue my current work through December.)

2) What are the differences between the certifications? (For example, does CHFI focus more on network intrusion/attack/etc. investigations than the CCE?)

3) Which certification exams can be taken without attending a formal training/boot camp?

4)Which certification would people recommend for my situation/goals?

5) DOES ANYBODY KNOW OF ANY POSSIBLE FUNDING/ASSISTANCE WHICH CAN BE USED TOWARDS TRAINING/CERTIFICATIONS?

6) Any recommendations for networking/career searching to locate careers in the field?


Here are some ideas I have currently.  Your comments are encouraged and welcome.  After 7 years of school (without parental financial support) I really do not have money laying around and being able to avoid additional debt would be ideal. (Thus why question 6, above, could be a huge help).

1) Additional self study and then apply to take the CCE exam.

2) Take a small loan and attend ChicagoCon 2008 for networking opportunities. (Does anyone know if they use interns? I know some other conferences allow students to act as interns (assist with check-in, setup activities, etc.) and attend the conference events for free. If so, who would I contact?)

3) Take a large loan (student loan if possible) and attend ChicagoCon 2008 and take the training for CHFI.  (Does anybody know if there are any prerequisite training/experience/certifications/etc. for this?)

4) Wait until I have an employer and obtain training and certification as they deem fit (and as they will fund).

5) Do both 1) and 2).


Well, if you read this far, I greatly appreciate your time.  Your comments, suggestions, etc. will be very appreciated.

Thank You for your time.

We have found a solution in the EnCase forums. Apparently EnCase (I am not sure if version 6 fixes this) does not recognize the GUID partition table used in newer Macs with EFI. Following is a manual fix from Bill Siebert in the EnCase forums to get the filesystem to show:

1) Search the disk for "HFS"
2) Wait a few minutes and refresh the search hits
3) In the search hits, find the HFS at the top of the list and click on it
4) Switch to disk view where the HFS keyword was found
5) Move back 2 sectors, right click, select Add Partition, choose HFS+
6) Let the file systems rebuild
7) VOILA! The The folders and files will appear

Note: some people have reported having to use the second search hit, rather than the first.

I have 2 hard drives, one from a notebook and one from a desktop. I know they are from Macs, but I'm not sure what version of Mac OS X or filesystem. I got them acquired using Helix and LinEn, and added them to a case and verified them in EnCase Forensic 5.05j.

However, EnCase does not recognize the filesystems. It just says "Unknown" in the report tab for filesystem, and when I expand the drive, I get "C" and nothing else. Scrolling through the text of the drive, I can see that data is there, so I believe the acquisition was successful, just not sure what's going on.

Any ideas would be appreciated.

Thanks much.

I am a Master's student in computer engineering and information assurance.  I am very interested in pursuing Computer/Digital Forensics as a career.  I am wondering if anybody is aware of any good (free) online tutorials for learning the basics (the practices rather than the concepts (i already have a decent understanding of the concepts)) of conducting a computer forensics investigation.  Also a place to find some sample disk images.

Thank You