Thursday, March 8, 2007

Digital Forensics: A few more tips

I wanted to throw out a few more tips to add to those from the previous post, but first here's my own take on the SecurityFocus article.

First, of course storage is expanding rapidly. This has been the case for years and it can be a problem for forensics as you typically have to deal with full drive images. However, my belief is that law enforcement is still dealing primarily with individual's desktop systems and not large corporate servers. You still have to deal with large drives, but probably won't come across massive RAID arrays anytime soon. In these cases, you can always keep ahead of the desktop user if properly funded. To save on space though...

Tip 1
1) A number of forensic tools now allow for capture to a compressed image format such as AFF or Encase's Evidence File Format. If space is an issue, then use compressible formats for analysis and archival. You can always compress images for archival, but the formats above (and others) can be indexed and searched while still in a compressed state as well.

If you happen to be doing forensics in the corporate world, however, then dealing with servers and computer intrusions may be the norm. But there's still hope for you! If you're doing forensics primarily for business or incident response purposes rather than a legal matter then you might be able to get away with something less that a full drive image for analysis.

"But wait!", you cry, "can't all cases end in possible legal action." Certainly, but you just can't image everything and need to be able to take action rather than being frozen with fear of corrupting a hypothetical legal action.

Tip 2
The key is to have documented procedures for doing live forensics on a system. Even better is to capture those procedures through an automated first response process. Perform the initial live data collection from the system with a script. Some generic scripts are already available such as IRCR or FRUC.

No comments: