The Ethical Hacker Network - Beginner to Security and Forensics

Latest Additions

Who's Online

darmour

Newbie

Offline

Posts: 2

Beginner to Security and Forensics

« on: October 08, 2007, 02:40:00 PM »

I've been given some new roles within my job that require me to be able to perform digital forensics in case of an investigation.

My boss would like for me to gather and price out the tools required to perform all scenarios of digital forensics. Right now all I have is a IDE and SATA write blocker and a copy of BackTrak 2 to play with.

Any suggestions would be greatly appreciated to include paid training. I have looked at Encase as a possible software and training package.

Thank you,

-Damon


	Logged

dean

Guest

Re: Beginner to Security and Forensics

« Reply #1 on: October 08, 2007, 04:29:37 PM »

Hi darmour,

Look at the HELIX Live CD. It is designed for forensic analysis. It does not automount any drives or touch the swap space in any way. This keeps the entire process forensically sound.

Also check out Brian Carrier's site: http://www.digital-evidence.org/

Another option is the Forensic Toolkit from AccessData. I use both Encase and FTK. Encase's training is very good but specific to their product, I have never taken it though. For training that is less vendor specific check out the SANS 508 Forensics, Investigation and Response Track: http://www.giac.org/certifications/security/gcfa.php It is a very, very good course.

You also might want to check into network forensic products too. Due to all the anti-forensic techniques (check out Metasploit's Timestomp, Slacker, Sam Juicer & Transmorgrify for a few examples) it's often easier to gather network traffic and data to build a case.

dean


	Logged

darmour

Newbie

Offline

Posts: 2

Re: Beginner to Security and Forensics

« Reply #2 on: October 10, 2007, 07:57:30 AM »

Thank you for the information. I'll check into all those options.

Are there any specific hardware tools I should have in my possession for forensic activities? I have a dedicated Dell PC for this tasks and the write blockers. Anything else needed?

Thanks again!

-Damon


	Logged

oleDB

Recruiters
Full Member

Offline

Posts: 236

Re: Beginner to Security and Forensics

« Reply #3 on: October 11, 2007, 02:55:45 PM »

Buy and read these books cover to cover
http://www.bookpool.com/sm/0321525647

- http://www.digitalintelligence.com/
- Make sure to keep your dell forensic box in physically secure location and that your media is locked away.
- Depending on what your analyzing, specifically phones and pda's, you may need to buy more hardware for that
- Don't go cheap on storage. You might have to image a raid server one day.
- Download LiveView so you can investigate the image as an interactive VM
- Make sure to write out your forensic process in a document. This is very helpful, because you first you want it to be repeatable and accurate. Second, it helps in court when you have a standing procedure thats used over and over.
- Its common in forensics to use 2 or more tools like FTK and Encase. So you may consider getting both depending on your budget.
- You'll probably want to build a jumpbox full of tools that you can take with you on a moments notice. Many vendors sell these in a complete set.

I've taken the SANS Forensics training and its very good, however if you are going to be using Encase I would recommend getting their product specific training over SANS. Just my opinion, based on the fact that Encase is the mostly widely used product. Not the best, just the most common.