Professional Documents
Culture Documents
Acquisition Tools
Getting The Data:
The First Step of a Successful Forensic Analysis
Presented By
RS
The Catch 22 of Computer Forensics:
Should you pull the plug?
You must not alter or contribute to
the digital evidence.
You will loose access to any volatile
and/or encrypted data by powering
down a live system!
How can you tell what you will loose,
without first examining the system?
How do you examine a live system
without modifying it in the process?
What makes a Forensic
Investigation Challenging?
You only get one change to do it right!
RAID0 - STRIPE
RAID1 - MIRROR
RAID5 STRIPE with PARITY
JBOD Just a Bunch Of Disks
Reconstructing a RAID array
Macintosh Disk Mode
Hold down the T key upon bootup,
and the Macintosh will act as an
external firewire drive.
Forensic image integrity verification
Checksums
CRC32
Hashes
MD5
SHA-1
SHA-256
cksum Creates/Validates CRC32
Available in many older Unix systems
md5sum Creates/Validates MD5
Common on modern Unix Systems
Win32 & DOS versions available
Commercial Verification Products
New Technologies, Inc.
http://www.Forensics-Intl.com
crcmd5
CRC & MD5 of files and file groups
disksig
MD5 of disks
Forensic Image Formats
DD / RAW
EnCase
SafeBack
SnapBack
SMART
For more information
http://users.erols.com/gmgarner/forensics/
International Journal of Digital Evidence
http://www.ijde.org/
http://www.e-evidence.info/
http://www.tucofs.com/tucofs.htm
http://www.forensics-intl.com
http://www.usdoj.gov/criminal/cybercrime
http://www.dcfl.gov
Any Final Questions?