Hi people,
It is quite likely that I will be starting my first real case soon and needless to say, I am looking forward to it (albeit, a little nervous). In my opinion, forensics is a confidence thing and I believe that my EnCase skills are adequate but before I get 'thrown into the deep end', I would like to ask a few questions. I have quite a few questions to ask so I apologise if they seem rather cheeky and long winded…
1. The use of live forensics or analysing images post mortem (the 'conventional' way). The work I will be doing will most likely be given suspect media (mostly hard drives) so I guess live forensics wouldn't really come into play?
I'm quite interested in this type of methodology and intend to research this so am I right in saying the above and how often have you used live forensics, if any?
2. What are your opinions on using VMware? What situations do you deem this suitable during an investigation or is it the case of "how long is a piece of string". I have used this before from an example case given to me. The way in which I used this, was to logically restore an encase image to a blank drive in the hope that using VMware would allow me to view some proprietary file formats live. Quite long winded as I know there are simpler ways of doing this roll
3. Mac and Linux forensics. I am of the opinion that this will become more common over time, especially macs. The question I would like to ask is what proportion of cases that you deal with involve mac or linux? Also, what books or information is available and which cover mac and linux forensics that you would recommend?
4. Unallocated clusters - how do I go about carving files from unallocated clusters? what software do you perceive as the best at carving files out of unallocated clusters? I heard people find WinHex a generally more powerful application for this than EnCase v6. What are you opinions on this?
5. A silly and embarassing question really oops (I'm in doubt over my own skill at the moment.). I think I know the answer but I'm looking at the users within the SAM file within EnCase. Does the fact that each user has a NT Hash or LanManager Hash indicate that the user account has a password associated to it?
6. How do you record your forensic metholodogy? I'm thinking that recording dates, times and a description of everything I do. Is this overkill? - I understand that forensic methodology must be recorded and that everything must be forensically sound - do you do what I mentioned above? If not, what do you record?
Thanks for your patience. Just need a little confidence and the first case under my belt. 😯
Kind Regards,
howco21
Hi,
1.
Live forensics mostly comes into play when you are presented with active computers, there may be mounted volumes or files that will become encrypted if the computer is powered down. When a disk is encrypted on the fly using FTK or such from a live CD like Helix, is a method of obtaining an image of the decrypted volume. I have acquired such an image after decrypting a clone of the original disk. Ram dumps from active computers can return valuable information that would otherwise be lost.
2.
No method is perfect Im afraid.
3.
In my recent experience Macs turn up in 20% of cases at least but I rarely come across Linux.
4.
FTK and EnCase automate the process and allow bookmarking, reporting, exporting etc. Carving using WinHex would be a chore in comparison.
5.
Im with you on that one.
6.
Record everything, it becomes second nature after a while. It does not have to be overly detailed but it is important to record all methods employed, case tools used and observations made during your examination. Basically if someone else had your notes in their hand they could repeat everything you did and end up with the same results.
Good luck!