Assistance on Software purchase
We have just had an issue which we need to seize some pc's and check for a number of media files, look into the index.dat, check the items that have been deleted over the past X months.
As you can image I am still a newbie to this and would like some guidance on what software to purchase and methodology to approach.
I would prefer to outsource this but have been advised to look at a software solution first…
can you please give some points and feedback on enCase, FTK or other tools out there.
Buying the software is just the beginning. While FTK tends to be more "intuitive" out of the box then EnCase, none of the software really becomes useful without training. Additionally you will need hardware, including but not limited to a dedicated examination machine, multiple drives, & write blockers.
Of course without some experience, in the likely case that solicitors/lawyers/the courts become involved, you will have to establish your experience. Woe be the newbie examiner that was not shadowed/supervised by an experienced examiner on their first case.
As far as just reviewing the tools, there is good and bad to each which is why you will find most examiners use multiple tools if only to verify their results.
As a student in a computer forensics class, my school purchased FTK for us to conduct a mock investigation as our final project. So far, everyone is happy with FTK. It comes with an instruction guide that is easy to read and well detailed. You can download a demo version off their website. I think they may also be the least expensive if you buy the training version (student license).
Another free tool you can use is Helix, which is open source. This CD has many different applications you can use to conduct an investigation. Read their pdf files to learn more about specific apps and how they are used. You can boot this from a live CD and use "retriever" to search for pics, movies, and docs.
Remember to keep a chain of custody form in case you decide to outsource this investigation.
BitHead again is right on the money. I would add the following.
You need to ask
1.) What are you going to do if I find something?
2.) Can this possibly go to court
a. If so what makes me an expert witness
3.) Is the company willing to forgo legal action if I make
The wrong conclusion.
Without answers to at least these questions you could have legal
Action taken against the company and yourself.
Thanks for the information on this I really appreciate this.