Newbie requesting advice

Thanks Margo, I appreciate the suggestion.
KP

I have no budget to work with, so I'm going to have to come up with the funds and/or free stuff to do the job if I'm going to do it at all.

Hi KP,
I just saw this thread today, and thought I'd throw in my $.02. I started out in much the same way. I was working in the Ohio AG's office and we wanted a sort of "in-house" capability. Ohio BCI has a computer crimes unit already (an exceedingly good one) and so it was tough to get funding. So I started with an old Compaq desktop disassembled, a copy of Norton DiskEdit, RedHat 6.2 and Ilook.

I say this because you can basically do the same. Linux has come a long way. If you are working on a tight budget, you can set Linux up on most any hardware and use it with free software to do much of your own imaging and analysis. As a Law Enforcement officer, you would have access to a free copy of Ilook Investigator as well for a Windows analysis platform. It includes a robust imaging tool.

http//www.ilook-forensics.org/

I'm partial to sticking with Linux, but for a free solution (and if you prefer Windows), Ilook is nice. The interface is not very intuitive, but there's free for LE training available through NW3C

http//www.nw3c.org/ocr/courses_desc.cfm?cn=ILook%C2%AE

I'm a little familiar with Linux, having set up an in-house mail server and web server at the police department, but nothing much beyond that. I've messed around with Knoppix and used it while doing Windows machine repairs as well.

If you want more of a background on using linux for forensics, I'd like to point you to a paper I wrote

ftp//ftp.hq.nasa.gov/pub/ig/ccd/linuxintro

I've used that paper to teach Linux forensics all over the place. There are hands on exercises included. It could give you some ideas on where to begin. The version on that server (2.05) is getting old. I have a newer updated version (2.55), used for a recent class in England, that I'm trying to get put up there. The newer version is updated for Slackware and TSK/Autopsy 2.x. If you want 2.55, pm me and I'll send it to you. I'm also working an a complete re-write to be released in a couple of months.

Anyway. I hope some of this helps a little. Forensics *can* be done on a shoestring in the short term. In the long term, however, you need to keep in mind constantly change hardware requirements, software advances, and most importantly *proper training*. All of these will eventually require some sort of consistent funding. Otherwise you're just dabbling in it. Good luck!

Barry
NASA OIG CCD

Thanks very much Barry! I downloaded the paper you wrote a few days ago, but I'll pm you for the newer one. It looks like just what I need to get started. I appreciate the advice and assistance.
KP

OooOO very nice open source read. Thank you for posting.

Barry,

Great read!

Remember…many of the tools I've written run on Perl, regardless of the underlying OS…

H

The newer version is updated for Slackware and TSK/Autopsy 2.x. If you want 2.55, pm me and I'll send it to you. I'm also working an a complete re-write to be released in a couple of months.

Cool, will look forward to that -)

Are we going to see v3 of your guide updated for Gentoo 😉

KP seriously seriously consider Barry's recommendation. There's an abundance of live linux cds which are also ideal for assisting you on your journey. Including some suitable for forensics CD. Take a peek at the Forensic Boot CD http//www.forensicbootcd.com it is not quite free but if you have some spare cash then it would be money well spent.

I appreciate the kind words. As soon as I get 2.55 on the ftp site, I'll let everyone know here. At the very least, the formatting is *much* better and more readable (command outputs), along with the updated TSK stuff.

Harlan I keep your tools close at hand. One of these days I'll get time to test more completely on Slackware and provide the feedback you are always asking for (and rightly so).

echo6 You know I love Gentoo. But I'm stuck on Slack for forensics. Just try and teach a week long class that starts with a Gentoo install,

Okay everyone, once you start "emerge -vuD –newuse world" and get through "etc-update", we'll take a break…be back in the classroom day after tomorrow at 1600"

D

KP seriously seriously consider Barry's recommendation. There's an abundance of live linux cds which are also ideal for assisting you on your journey. Including some suitable for forensics CD. Take a peek at the Forensic Boot CD http//www.forensicbootcd.com it is not quite free but if you have some spare cash then it would be money well spent.

I'm downloading Slackware even as we speak. I'll take a look at foresicbootcd as well. I'm quite intrigued by the various things Linux offers, so I'll definitely be having a long look at it.
KP

Just try and teach a week long class that starts with a Gentoo install

LOL -)

I'm downloading Slackware even as we speak.

Joking aside, Slackware is a no frills Linux distro very suitable for forensics. In use by forensicbootcd and SMART Linux http//www.asrdata.com

Linux has a steep learning curve, so please perservere. By understanding Linux you may be pleasently surprised how much you can gain knowledge of other Operating System.

I would also recommend you read "Next Generation Data Forensics & Linux" http//www.crazytrain.com/monkeyboy/Next_Generation_Forensics_Linux.pdf
and "Building a Super Kernel for Data Forensics" http//www.crazytrain.com/monkeyboy/FSK.pdf Although a bit dated ! they are still relevant. Who knows perhaps we can poke Thomas into updating these papers. Although I doubt we will get him to include any mention of Gentoo in there 😉

Thanks Echo! I've worked with CentOS linux in the past, but would not consider myself proficient. I use Knoppix fairly often these days, so I have some foundation, but I figure using Slackware is going to be an eye opener.

I'll download those pdf's and have a look at them. Thanks!
KP