±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 4 Visitors: 153

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Forensic PC anti-contamination procedures

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5  Next 
  

Fab4
Senior Member
 

Forensic PC anti-contamination procedures

Post Posted: Aug 21, 09 17:24

Hello all. We are a growing lab and are making some changes to our set-up which is provoking much debate within the team.

We have a server with 8 hot-swappable bays. The working copy of an image being actively analysed is maintained on the server, where one drive = one case - clearly stored securely when analysis not occuring.

The server shares the image to one or more of several forensic client PCs during analysis, with the analyst maintaining a virtual case file on that PC, backed up elsewhere at the end of each day.

Our debate revolves around how anti-contamination procedures on the forensic clients can be undertaken both appropriately (to avoid challenges relating to tainted evidence) and efficiently.

Suggestions range from;
DoD wiping the client, re-installing OS and all apps prior to next case.
to
Each case has its own partition on the client HDD, which is DoD wiped prior to a new case being allocated to it.
through to
There's no need to wipe anything - rely on AV procedures, an image is a logical file in itself.

Persusive arguments are being made for each option!

It would be great to hear what others (would) do. Many thanks.  
 
  

keydet89
Senior Member
 

Re: Forensic PC anti-contamination procedures

Post Posted: Aug 21, 09 18:00

- Fab4

Our debate revolves around how anti-contamination procedures on the forensic clients can be undertaken both appropriately (to avoid challenges relating to tainted evidence) and efficiently.


I'm not sure I follow the argument....if the original evidence is maintained separately and can be verified, how would it be tainted by a client PC?

I have no idea where your facility is or what it is you do, but let's say, for example, that in analyzing an image, one of the examiners finds CP. Is this discussion around evidence being tainted if a client PC becomes infected with a Trojan or virus of some kind? I don't see how this would be an issue, b/c you can deal with the infected PC and still have your original evidence, untainted.

Maybe a way to address your concern is through virtualization...have everyone use VMs.  
 
  

kovar
Senior Member
 

Re: Forensic PC anti-contamination procedures

Post Posted: Aug 21, 09 20:12

Greetings,

For one client, we use virtual machines for each case. The EnCase images, installers for tools, and the EnCase file hierarchy live on the host's disk for performance reasons.

As Harlan notes, as long as the original evidence is in a locked evidence container, it cannot be contaminated. The work product could be contaminated by a virus/accident on the host or on the VM but we could go back to the original evidence with a fresh VM and start over again.

In your situation, I know many examiners would wipe the client, reinstall from a base Ghost image, and update everything, which is essentially what we do with VMs.

In discussions about best practices, it is often suggested that you wipe any disk or partition prior to storing evidence or work product on it to avoid the possibility of contamination.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

Fab4
Senior Member
 

Re: Forensic PC anti-contamination procedures

Post Posted: Aug 21, 09 20:34

- keydet89
you can deal with the infected PC and still have your original evidence, untainted.


That seems supportive of the third option in my post.

To clarify, the question is;

do you work on several images/cases at a time, using the same forensic PC

and/or

do you undertake any 'cleaning' of your forensic PC between working on one image and working on the next image?

Or do you do something entirely different?

Hope that helps.  
 
  

jhup
Senior Member
 

Re: Forensic PC anti-contamination procedures

Post Posted: Aug 21, 09 21:11

I think using the VMs is an excellent idea.

It not only isolates the VM from the host, but also provides a fast way to create a dedicated VM for each case, if need be; and allows sanitizing (or cleaning) of the VM instance.

What is the downside using such VM setup?

I am going to have to rethink how my lab will look.  
 
  

kovar
Senior Member
 

Re: Forensic PC anti-contamination procedures

Post Posted: Aug 21, 09 21:20

Greetings,

We can also archive the entire analysis environment, including a running operating system, the installed tools, patches, etc. If someone wants us to look at a five year old case, we can use the exact environment we used 5 years ago.

There is a performance hit, though I've not measured it. Keeping everything but the OS files on the host file system via shared folders works much better than using the virtual system's filesystem.

We're running the VMs on a 14GB Mac Pro with 1.7TB of RAID in an effort to provide as many resources as possible. For off the shelf, non-server hardware, this is about the best you can do, I think.

VMware only passes USB through to the client. Firewire and eSATA do not pass through, making VMs less than ideal for imaging.

You need to be a bit careful with you configuration and active focus when plugging USB devices and dongles in to ensure they show up in the right place.

This arrangement allowed us to run FTK 2.x with a standalone Oracle server and multiple clients, which was helpful for testing it out.

You can isolate the VM from the network, or connect the VM via an isolated virtual network to a sniffer.

We've built out server base images - Windows 2003 Server, XP, and 32 and 64 bit versions of each. Currently, EnCase isn't installed in the image as it is quick to install, but I may install it in one image so I can also pre-install the NIST database, our standard EnScripts, etc.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

Patrick4n6
Senior Member
 

Re: Forensic PC anti-contamination procedures

Post Posted: Aug 22, 09 08:57

- Fab4
Suggestions range from;
DoD wiping the client, re-installing OS and all apps prior to next case.


You don't DoD wipe in Forensics. The proper method of forensic sterilisation of media is to completely overwrite the drive with a single known character, generally 0x00. The reason for using 0x00, is that you can then read the drive using a CRC32 or CRC64, and if the resultant hash is all zeros, your drive is sterile.

Wipe, verify zero, and you are set.

As a general principle, forensic sterilisation is only required for restore drives, forensic copy (as opposed to imaging), and for target drives that you are taking into the field. Restore and forensic copy drives are sterilised so that no data from another job exists after the end of your restore or copy, and field acquisition drives are wiped so that sensitive data is not taken out into the field unnecessarily, and so there is no argument that you are contaminating their computer, or your image on site.

I have never had the practice of wiping my systems completely after each job. I have a backup of my standard build, and a forensic image of each forensic workstation that I can restore if an error is located. In almost 400 forensic computer examinations, the only time I've ever had to restore my master was from the failure of a 60GB IBM Deathstar that was my system drive.

As other posters have said, so long as you maintain chain of custody, and get your master image into an evidence locker as soon as possible, any arguments of contamination can be defended against.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 

Page 1 of 5
Page 1, 2, 3, 4, 5  Next