Wednesday, March 7, 2007

Digital forensics: when users put the mass in mass storage

An article popped up across the SecurityFocus security news feed this week titled "Digital forensics plagued by expanding storage". This rang a bell, as I've conducted forensic analysis on arrays and drives that were impressively large.

There are a few basic things you can have in your toolkit to help out:

1. As much storage as you can afford - I like to have a large portable drive as well as an even larger network accessible drive that I can dd to. These days, it isn't unreasonable to carry a 500 GB drive as your portable forensic storage device, and 750 GB drives are starting to hit reasonable prices if you have to deal with large datasets. Remember, bitwise copies are the best route if you really need a deep analysis, but if you're forced to and having that level of accuracy is not required, you can use tools that copy only the live filesystem.

It is worth noting that vendors have begun to bring out enclosures with decent hardware RAID built in, meaning that you can have a terabyte or more of real space for images in a single reasonably portable box.

If you're imaging from the host, rather than a forensic workstation, a good USB/Firewire enclosure is a must, as well as a bootable Linux or Windows IR CD. Check out Helix or PenguinSleuth, or any of the host of other liveCDs out there.

2. A method of getting to arrays. In many forensic analysis situations, you need to copy from a RAID array, either on a dedicated controller or from an onboard host based controller. For Windows, BartPE is your friend once you locate the right drivers and load them. Some arrays may be hardware based - if they're not, you'll need to get the configuration and drivers loaded to deal with them in most cases.

3. A plan for how to handle oddball systems. Sometimes, getting an image is going to be impossible, and if analysis is your key issue, rather than preservation of a pristine image, you should have a plan for how to conduct live system analysis.

4. Last but probably most important - you need a way to take useful notes, and a plan of attack that you can follow. Standards will save you, and documentation and careful notes are critical.

Don't forget your screwdrivers!

1 comment:

Keydet89 said...

2. A method of getting to arrays.

Sometimes live acquisition is the only solution, even if you're only acquiring an image of the system partition.

3. A plan for how to handle oddball systems.

Again, live response may be the key here, as you mention.

4. Last but probably most important - you need a way to take useful notes,

I've been using Forensic CaseNotes for my analysis notetaking...very useful, very effective, and easy to share amongst the team.