.

Beginner to Security and Forensics

<<

darmour

Newbie
Newbie

Posts: 2

Joined: Tue Sep 18, 2007 11:57 am

Post Mon Oct 08, 2007 2:40 pm

Beginner to Security and Forensics

I've been given some new roles within my job that require me to be able to perform digital forensics in case of an investigation.

My boss would like for me to gather and price out the tools required to perform all scenarios of digital forensics.  Right now all I have is a IDE and SATA write blocker and a copy of BackTrak 2 to play with.

Any suggestions would be greatly appreciated to include paid training.  I have looked at Encase as a possible software and training package.

Thank you,

-Damon
<<

dean

Post Mon Oct 08, 2007 4:29 pm

Re: Beginner to Security and Forensics

Hi darmour,

Look at the HELIX Live CD. It is designed for forensic analysis. It does not automount any drives or touch the swap space in any way. This keeps the entire process forensically sound.

Also check out Brian Carrier's site: http://www.digital-evidence.org/

Another option is the Forensic Toolkit from AccessData. I use both Encase and FTK. Encase's training is very good but specific to their product, I have never taken it though. For training that is less vendor specific check out the SANS 508 Forensics, Investigation and Response Track: http://www.giac.org/certifications/security/gcfa.php It is a very, very good course.

You also might want to check into network forensic products too. Due to all the anti-forensic techniques (check out Metasploit's Timestomp, Slacker, Sam Juicer & Transmorgrify for a few examples) it's often easier to gather network traffic and data to build a case.

dean
<<

darmour

Newbie
Newbie

Posts: 2

Joined: Tue Sep 18, 2007 11:57 am

Post Wed Oct 10, 2007 7:57 am

Re: Beginner to Security and Forensics

Thank you for the information.  I'll check into all those options.

Are there any specific hardware tools I should have in my possession for forensic activities?  I have a dedicated Dell PC for this tasks and the write blockers.  Anything else needed?

Thanks again!

-Damon
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Oct 11, 2007 2:55 pm

Re: Beginner to Security and Forensics

Buy and read these books cover to cover
http://www.bookpool.com/sm/0321525647

- http://www.digitalintelligence.com/
- Make sure to keep your dell forensic box in physically secure location and that your media is locked away.
- Depending on what your analyzing, specifically phones and pda's, you may need to buy more hardware for that
- Don't go cheap on storage. You might have to image a raid server one day.
- Download LiveView so you can investigate the image as an interactive VM
- Make sure to write out your forensic process in a document. This is very helpful, because you first you want it to be repeatable and accurate. Second, it helps in court when you have a standing procedure thats used over and over.
- Its common in forensics to use 2 or more tools like FTK and Encase. So you may consider getting both depending on your budget.
- You'll probably want to build a jumpbox full of tools that you can take with you on a moments notice. Many vendors sell these in a complete set.

I've taken the SANS Forensics training and its very good, however if you are going to be using Encase I would recommend getting their product specific training over SANS. Just my opinion, based on the fact that Encase is the mostly widely used product. Not the best, just the most common.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software