Digital Forensic Software

[cgerlingjr at gmail.com (Chris Gerling Jr)]

Hi there, never had my name dropped before I don't think, haha.

The whole Sumo Linux update never really happened.  When we had first talked
with Marcus about it, nobody was really sure exactly what e-Fense was doing
with their commercial transition, and while I can't speak for him (the
project may well be still being worked on) I think there are already a
wealth of tools out there and it probably didn't make sense to invest time
in it, especially with his DojoCon coming up which was a resounding success.

I use Helix 3 Pro along with their Live Response tool.  They are both great
tools, but I am wondering about the support because as a company they've
been very shaky in the last few months, with a huge staff turnover.
 Hopefully they'll get that sorted out because I would hate to see all of
their work go for naught.

Feel free to email me personally and I can try to answer any questions you
have.  I consider myself a novice at this stuff still, and am actually
looking to build a collection of open source tools to use for examinations.

Chris Gerling


On Wed, Dec 9, 2009 at 4:12 PM, Robert Miller <arch3angel at gmail.com> wrote:

>  Tyler,
>
> Is this the first case your prosecuting attorney has had relating to
> digital data evidence?
>
> If not ask them what or who did the last time and contact them for advice.
> If this is first case or bad outcomes came from the previous case(s) I would
> suggest contacting your local InfraGard (http://www.infragard.net/)
> chapter.  Along with that look into any local universities that may be
> teaching any type of forensic classes, they would have at least a brief
> overview on how to handle the evidence.  An example of what I am talking
> about is here: http://www.starkstate.edu/academics/it_tech/cybersecur.htmor
> http://www.starkstate.edu/academics/it_tech/cybersecur/digital-forensics.htm- try and locate the professor teaching 
> these classes, then reach out with
> your story asking for advice.
>
> Also look at SANS Computer Forensics and reach out to Rob Lee, he has
> produced some really good articles and posts on these topics.  Along with
> Mr. Lee you might look at Chris Gerling from Securabit podcast, he has
> talked about forensic classes and his personal experiences with digital
> forensics, he would be a good resource.
>
> As for software, I have only used Helix prior to 3.0 the paid version and I
> am unsure if Chris Gerling and Marcus Carey have officially released Sumo
> Linux which was to take the place of Helix as an open source solution.
>
> Contact Scott Moulton, http://www.forensicstrategy.com/ he has a good
> number of videos on YouTube showing things he has done, he is also really
> nice and helpful if you have questions.
>
> Some other useful things might be:
>
> http://www.myharddrivedied.com/computer_forensics.html
>
> http://www.irongeek.com/i.php?page=videos/advanced-data-recovery-forensic-scott-moulton
>
> http://www.irongeek.com/i.php?page=videos/data-carving-with-photorec-to-retrieve-deleted-files-from-formatted-drives-for-forensics-and-disaster-recovery
>
> http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
> http://blog.dojosec.com/
> http://www.opensourceforensics.org/tools/unix.html
> http://www.opensourceforensics.org/tools/windows.html
>
> I know when I started working on live memory forensics local law
> enforcement and universities have a hard time giving me a proper chain of
> custody procedure because of how new this area is.  It did seem though that
> everyone I spoke to stressed the importance of chain of custody and the
> contamination of the evidence during the recovery.
>
> I am sorry it is not better or more detailed to your question but I hope
> others can add to this or something I have will lead you in the right
> direction.
>
> Please keep us in the loop as you find your answers, thanks
>
> - Robert
> arch3angel
>
>
> On 12/9/2009 12:55 PM, Tyler Robinson wrote:
>
> Hey all looking for some of the fantastic advice that the pauldotcom
> listeners always provide. I am helping our prosecuting attorney with
> evidence from a hard drive, I am wondering what software everyone is using
> to make the drive images, and if anyone knows of a good website that has all
> the proper forms ex. digital chain of custody, and also some checklists or
> guidelines. I know that Helix is a widely accepted linux distro for this
> sort of thing but dont have much experience with it. I also have a copy of
> FTR and have worked with it a bit. So any advice at all is always
> appreciated. Thanks again and Thanks to Paul and Larry for bringing together
> such a dynamic group of Security professionals and a great show.
>
> --
> Tyler Robinson
> Owner of Computer Impressions and Tactical Network Security
>
>
> _______________________________________________
> Pauldotcom mailing listPauldotcom at mail.pauldotcom.comhttp://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091210/0f102617/attachment.htm