Hi darmour,

Look at the HELIX Live CD. It is designed for forensic analysis. It does not automount any drives or touch the swap space in any way. This keeps the entire process forensically sound.

Also check out Brian Carrier's site: http://www.digital-evidence.org/

Another option is the Forensic Toolkit from AccessData. I use both Encase and FTK. Encase's training is very good but specific to their product, I have never taken it though. For training that is less vendor specific check out the SANS 508 Forensics, Investigation and Response Track: http://www.giac.org/certifications/security/gcfa.php It is a very, very good course.

You also might want to check into network forensic products too. Due to all the anti-forensic techniques (check out Metasploit's Timestomp, Slacker, Sam Juicer & Transmorgrify for a few examples) it's often easier to gather network traffic and data to build a case.

dean

Buy and read these books cover to cover
http://www.bookpool.com/sm/0321525647

- http://www.digitalintelligence.com/
- Make sure to keep your dell forensic box in physically secure location and that your media is locked away.
- Depending on what your analyzing, specifically phones and pda's, you may need to buy more hardware for that
- Don't go cheap on storage. You might have to image a raid server one day.
- Download LiveView so you can investigate the image as an interactive VM
- Make sure to write out your forensic process in a document. This is very helpful, because you first you want it to be repeatable and accurate. Second, it helps in court when you have a standing procedure thats used over and over.
- Its common in forensics to use 2 or more tools like FTK and Encase. So you may consider getting both depending on your budget.
- You'll probably want to build a jumpbox full of tools that you can take with you on a moments notice. Many vendors sell these in a complete set.

I've taken the SANS Forensics training and its very good, however if you are going to be using Encase I would recommend getting their product specific training over SANS. Just my opinion, based on the fact that Encase is the mostly widely used product. Not the best, just the most common.