Guest blog post: TACTICAL trial by fire

by Hogfly from http://forensicir.blogspot.com/

Last week, I received a phone call to perform a sensitive acquisition for Law Enforcement. A tragedy really, but out of it arises a short story of success with modern forensics tools.

When I arrived on scene I was briefed and went to search for the requisite equipment to perform the acquisition. As it turned out, the entire stock of wiped drives was gone. A 500GB drive was located, but it needed to be wiped. Wiping a 500GB drive takes up to a few hours, so that was no good. I did have some clean space on an acquisition RAID device though. Given the sensitivities of the operation I had to do this quickly, efficiently, and right the first time. The margin for error was slim as there was information on the desktop that couldn't be lost.

I went for the Ace up the sleeve. I had up to this point only used it in testing, but I went for a tool I knew could trust. The tool was none other than F-response TACTICAL. Yeah that's right, I went for live imaging in a Law Enforcement case. There are still plenty of those doubters and naysayers out there, so let me be clear. The time to adapt has passed, the need to preserve evidence when lives are at stake is paramount. It's time you adopt modern techniques. There is no such thing as forensic purity, in any forensic discipline when you've got volatile evidence. That's a myth created by those that have never worked in the field.

Photos taken, and requisite documentation completed, I plugged the victim system in to a local switch I had for this purpose. I then proceeded to insert the subject dongle in to the subject computer. I quickly popped the examiner dongle in to my station attached to the acquisition RAID. Configuration, always quick, included physical memory. Then I simply clicked on "auto connect" on the examiner console. Just like that, the disk and memory objects I needed were exposed. Firing up FTK imager, I made the acquisitions I needed. The case proceeded as many do, with hurried phone calls and stress like no normal incident can create. The evidence was secured for examination and the subject laptop was turned over.

I'm an Incident Responder, and a Forensic Examiner. I need tools I can rely on, tools that work in the clutch, tools that don't break the bank, tools to use when life and limb are at stake. For me, that's F-response. A very big thanks to Matt Shannon and the folks at F-response. I'm not sure how the field got along without you and you've made technology available that makes a real difference.

Originally published at http://forensicir.blogspot.com/2010/02/tactical-trial-by-fire.html

Computer forensics education directory updated

Our University and College Course Directory has been updated with the following institutions:

American InterContinental University (US)
Arapahoe Community College (US)
Marshall University (US)
Lawrence Technological University (US)
Harper College (US)
California Sciences Institute (US)
Lenoir Community College (US)
Regis University (US)
Boston University (US)
University of Rhode Island (US)
Catawba Valley Community College (US)
Sheffield Hallam University (UK)
Macquarie University (Australia)
Dalarna University (Sweden)
Universiteit van Amsterdam (Netherlands)

Computer forensics education directory now online

A directory providing details of computer forensics courses offered by academic institutions worldwide is now online at

http://www.forensicfocus.com/computer-forensics-education-directory

This directory will be updated each year to reflect current course offerings but additions or amendments are encouraged at any time and may be sent through our contact form.

A second directory listing courses offered by commercial training providers is planned for later this year.

US academic institutions - final call for contact details!

Hi everyone,

I hope to have something to show for our efforts in putting together a directory of academic institutions offering computer forensics courses next week but I still need a little assistance with one or two places in the US.

If you have a contact person for any of the following (teaching, rather than general admissions) could you either pass on an email address to me or ask them to contact me on admin@forensicfocus.com:

Bucks County Community College
Carnegie Mellon
Cypress Community College (I think this is Chris Curran but I don't have an email address)
Delaware County Community College
Delaware County Technical School in Aston
University of Fairfax
George Mason University (Fairfax, VA Campus)
Luzerne County Community College
University of New Orleans (is it still Prof. Golden?)
University of Northwestern Ohio
University of Central Oklahoma
Pittsburgh Technical Institute
Rutgers University
Walsh College
West Virginia University (my mails to Roy Nutter are bouncing)
Wilmington University

Many thanks for any help!

Jamie

Hidden Hymn

From http://digitaldetective.wordpress.com/2009/12/17/hidden-hym/ (republished with permission)

There is something quintessentially British about the unique blend of gusto and gibberish which makes up a Gilbert and Sullivan operetta. What is less well known, perhaps, is that Arthur Sullivan also wrote the music to the world-famous hymn ‘Onward Christian Solidiers’.

It seems he also tried his hand at a lyric to the tune, which was later discarded. Now, though, the sole surviving copy of that lyric has emerged – yet another extraordinary treasure recently found amongst a cache of forgotten manuscripts.

We are delighted to reproduce the full lyric here.

Tune: St Gertrude by A. Sullivan

Hymn for the Unsung Heros

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.
Tableaus at the ready, armed against the foe,
Forward into battle see those White Hats* go!
(*LE singers may substitute “Blue lights” here. – AS.)

Refrain

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.

Dawn of retribution! Watch the suspects stare;
They and their Redeemer know what you’ll find there!
All their nasty surfing, docs and pix and more;
See, they fear the advent of the long arm of the Law.

Refrain

Image every hard drive, every USB,
Make a very detailed chain of custody,
There will be no tiny evidential fault
Bag and tag and walk the lot then slap it in the vault.

Refrain

Run it up in EnCase, data carve ‘til dawn
Bookmark hot and gmails, all the dodgy porn,
Short and sweet the statement witnessing the crime
Which gets them off the premises or even doing time.

Refrain

Like Olympic medalists going at full steam
Onward First Responders! Ply that data stream!
Vanquish all the villains, work with all your might
Show the unbelievers just how ev’ry bit can byte

Arthur Sullivan at his other keyboard

All together now…

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.

Adroit Photo Forensics review

A review of Adroit Photo Forensics is now online here with follow up discussion available here. Many thanks to Austin Troxell for the review.

Interview with Russell May, 4N6 Investigation

An interview with Russell May of 4N6 Investigation is now online at http://www.forensicfocus.com/russell-may-interview-101209. Russell is a well known figure in the computer forensics world with a reputation for providing some of the best training courses available. Enjoy the interview!

Forensic Computing PhD, UK

There is a PhD position available at the Centre for Forensic Computing, Cranfield University, UK. The broad area for the research is the investigation of the digital evidence left on hard disks by users who have communicated via the Internet.

The start date is February 2010.

To apply please see:

http://www.jobs.ac.uk/job/AAI779/phd-studentship/

The Value of Push Button Computer Forensics

Good discussion on "push button computer forensics" at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4906

Original blog post at http://integriography.wordpress.com/2009/11/17/the-value-of-push-button-forensics/

Some further comment at http://www.darkreading.com/blog/archives/2009/11/pushbutton_fore.html

Academic institutions - updated

I've updated the first post of this thread with everything we have so far (in something like alphabetical order). Thanks again to everyone who's contributed and please continue sending in details of anywhere not already listed.

Thanks,

Jamie