Newbie Introduction to Digital Forensics Part 2

Monday, March 08, 2010

Juan Granados


"It’s funny, ya know, the kinda stuff that pops into your head
when you’re tryin’ to work. I remember there was this horse—a golden palomino. Old man McGinty had got him in a trade, I think. I couldn’t’ve been more than nine or ten at the time but I’d made up my mind that I was goin’ to ride that horse. ‘Course knowin’ old man McGinty, that was gonna take some doin’."

Up to this point in my career "Digital Forensic Analysis" consisted of a basic scan for documents from the "exited" employees hard drive. Given the "extensive" nature of my past investigations, I was convinced that I could easily impress the executives at my company by doing more.

So, the research part of my journey began!

The information available on the internet can be a blessing and a curse at the same time. The multitude of information can be overwhelming for the newly annointed "Padawan" learner. One thing was clear....Forensic analysis was an art rather than a science. My hope of finding a "Cliff's Notes" version of "Digital Forensics" would prove to be impossible.

"Well I remember thinkin’ to myself as that palomino stared at me from across the corral with a real kinda proud an’ angry look, that if ever there was a time for turnin’ back this was it. But somethin’ else musta decided our paths were bound to cross that day, ‘cause my feet just kept right on goin’."

The consistency in process and procedure was clearly more important than the software that would gather the information. The need for documentation of the methodology coupled together with a clear "Chain of Custody" would be key to defending the evidence gathered for any future litigation. However, sample documentation on process and methodology were also hard to find. This journey was going to take a little longer than anticipated.

"Now havin’ a golden palomino in a corral is all well and good. But actually gettin’ right up to ‘er—well that could be a
whole ‘nother ball game. She was startin’ to look a little bit bigger than I remembered too. No, there was definitely more to ridin’ this palomino than had occurred to me the night before."

So, my eyes may have been bigger than my stomach. I needed to define the scope of this journey in order to make this project a little more manageable. In the past, the need for "Digital Forensic Analysis" had been small. In contrast, the few cases that required extensive work were usually outsourced to 3rd party security experts that had alot of time and experience to bring to the table. So, I decided to start somewhere in the middle. I could not compete with the security experts with significant experience in the industry. However, I could get the process started early so that company mangement could make a decision about the potential value of sending hard drive data to the 3rd party experts. By limiting the scope of this process, I could
concentrate on the basics while I learned more about proper methodology and documentation.

"I’d always heard in ridin’ horses, it was the horse that did the sweatin’. But I wasn’t even on it yet and you coulda wrung enough out of me to water the lawn. From here on it was easy-does-it. You move too sudden or worse, try
jumpin’ on ‘er back, an’ you might just as well strap yourself to a—well, to a rocket."

A complete bit level copy of the hard drive would be the logical start of my part of this process. In most cases, the machines were powered down before I could access the hard drive. So, any memory dumps or online forensics work could not be performed.

I had learned early in my research about maintaining the integrity of the hard drive by not booting it up. This process makes changes to the hard drive that make the evidence discovered harder to defend. So, to maintain this evidence I would need to perform a bit level copy of the hard drive
There were many sofware options for performing this task. I had orginally used Paragon Software's Drive copy. But I also wanted to try other products, specifically open source ones.

Why open source?

I will answer that question in my next article. I will also dive deeper into the open source products that I have used to help me through this process.

Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.