As I'm dealing more with forensics from the windows side of the world now, I am, suffice it to say confused as hell as to why any would choose windows as a forensics platform. Maybe some of you more experienced examiners can help me understand this because right now, it makes no sense at all.
Take the following for example
A first responder walks in to an incident scene, and, using Helix grabs a DD image of the system disk off of a windows 2003 server. A SHA1sum is taken of the source and final disk image. The disk storing the image is formatted as EXT3.
The disk is then delivered to the investigator.
In order for an investigator to conduct a sound investigation on this image the following is required
Windows XP Professional $199
WinHex $459
Mount-Everything Professional - $150
Access Data FTK -$1000
Mount image Pro -$279
Digital Intel Write blocker - let's call it $250 for the sake of simplicity.
In order to mount a dd image for FTK to get a file listing, this is what it takes.
Mount-everything -sees the EXT3
Mount image pro - Mounts the dd image
Total cost of tools to investigate this disk $2337
Now let's look at an alternative…
RedHat Linux Enterprise Workstation - $179
PYFlag - FREE
Sleuthkit - FREE
Autopsy - FREE
khexedit - FREE
Regviewer - FREE
Mounting a disk image?
mount -o loop,ro,nodev,noatime,noexec /path/to/image /mount/point
Total cost of tools to investigate this disk $179 (this is not even accurate because no one said you had to use RH enterprise)
Granted, the windows tools have been heavily refined to automate the tasks involved in investigations, but the principal issue I struggle with, is why use a single minded, inferior operating system to do forensics? Why are programs like encase and FTK made only for windows, when the core operating system does nothing but hamper an investigation?
…why use a single minded, inferior operating system…
Oddly enough, I think you may have just answered your own question.
It's not the job of the investigator/analyst to necessarily make judgements…their job is to locate and present facts. They do so using the tools at their disposal.
Tools like EnCase are expensive, but as you pointed out, they help to automate the overall investigative process. Think of it this way…all that time you've invested in learning Linux, installing PyFlag, etc…that probably was a good deal of time, wasn't it? Well, most cops in this field don't have that kind of time. Nor do they have time for the kind of research that a lot of us do…they need tools and processes that automate this process.
Also, your scenario may not be representative. I have no doubt that it's what your familiar with, but others may be familiar with less expensive scenarios. Different scenarios are going to result in different costs.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Sure, it takes time to install and learn how to use an OS, but can't the same be said for windows, and Encase/FTK ? That's why they have the training courses and cert is it not?
The costs may be skewed, but that's what it's taken me - a non LE individual, to get started on using windows to conduct a forensic investigation. I'm all for doing things on the cheap, so if you or someone else can recommend cheaper windows tools to accomplish the same tasks please indulge me.
I certainly agree with your assessment on cops not having the time.
Sure, it takes time to install and learn how to use an OS, but can't the same be said for windows, and Encase/FTK ?
True, but that time is greatly reduced, simply by the nature of the beast. There are several organizations (some staffed by former LEOs) that provide complete forensic workstations…with all readers, bays, and write-blockers included. Many of these systems that I've seen come installed w/ Windows and EnCase.
Not all LE digital forensics offices set up their own equipment. In many cases, they get space, and budget to purchase the h/w and s/w they need. There are instructions and SOPs available for setting up and managing labs, assembling jump kits, etc.
The costs may be skewed…
Well, for starters, if you're looking for a Windows solution, I'm not entirely clear on why you're writing the dd image to an ext3 drive. If I were looking at using Windows, I'd go with FAT or NTFS.
Second, I'm not clear on why you're using a hardware write-blocker on Windows, but not on Linux.
For forensic analysis of the image, I'd got with either FTK or ProDiscover, as a start. I'm not sure what you're using WinHex for…I know what it is and what it can be used for, but in the Linux listing of tools, you list khexedit…so I can only assume that you're using WinHex as a hex editor…and there are decided less expensive ones available.
In a nutshell, though, I think that it all depends upon what it is you're doing in your cases.
I certainly agree with your assessment on cops not having the time.
Well, that's what I've gotten from them.
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Cost is a big factor when starting a new enterprise. Probably the biggest. There are places to cut costs and places not too. Outside of training I think your forensic tools are the last place to scrimp. I feel obligated, based on what I charge, to conduct examinations as efficiently as possible. By that I mean to conduct a thorough examination, leaving no stone unturned, but billing as few hours as possible.
On the law enforcement side again I think efficiency is the biggest necessity. There is a tremendous case load, with big consequences for the accused. Examiners need to be able to conduct good analysis in a reasonable time.
Another thing to consider is the support you receive from a software vendor. If their application's validity is challenge in court will they come to defend it? Has it successfully stood up to challenges? Just because you and I may understand that an open source application is perfectly suited to a particular task will the Judge understand it? That's what it ultimately comes down to in every case. He may not buy any of it, but I'll stack the deck in my favor as much as possible going in.
gmarshall,
Absolutely 100% agree. What I question is the industry and CFTT not testing open source tools as readily as they do commercial ones, and the vendors not providing their tools for a linux operating system(other than ASRdata). as a core OS, linux is much more flexible than windows ever will be. I'd happily run FTK on my linux box if I could do so reliably.
An interesting question was raised recently to me. What happens when a bug is found in a tool like encase or FTK while processing a case, or while a case in court? That could technically destroy a case just as readily as a flaw in an open source tool.
Harlan,
The Khexedit - Winhex comparison wasn't fair of me. I use winhex to do a lot more than just hex editing. Khexedit is what came to mind when thinking of an OSS hexeditor with some features.
As for using EXT3, that's just become our standard methodology because we pass out helix for first responders. I chose to get FTK over SMART(which is why I'm using windows) because I can get the most bang for the buck out of it.
Greg,
Well said. I think you covered the salient points very well.
As far as starting your own business, it makes sense to go with the things that work…how can you provide a thorough service for the least initial investment? Once the work comes in, and you're paying customers are paying, you can start getting those more expensive tools and software products, amortizing the cost over several customers.
Hogfly,
"…the vendors not providing their tools for a linux operating system."
In an ideal business world, things like this are based on a sound business case. What is the material benefit of Guidance Software providing EnCase on Linux systems? Is there one? How about ProDiscover?
I agree, it's a nice-to-have, but I know enough about the workings of the products to know that major portions of each would have to be rewritten, as they use the MS API for many things.
Regarding file systems, dd images copied to a FAT file system don't affect the images themselves, but are flexible enough to be used on both Windows and Linux platforms without too much trouble or additional software. Just a thought.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com