Notifications

Clear all

actual condition of forensics in your country

Pied · 2007-03-26T10:14:16Z

Hi,I'm Japanese and work in Tokyo.In the forensic industry, I regard Japan as it being behind other countries. cry Please tell me the actual condition of forensic in your country.Question1. Do you usually do a physical copy(not imaging)? Or do you copy data directly from suspect HDD?2. There are those who say that the products which take logs based on the thought of forensic are network forensic products.Is really it network forensic? What is the definition of "network forensic"?3. What do you usually call a product like EnCase Enterprise?Live foresic?4. A cell phone of Japan differs from them of other countries.Since there is SIM lock, SIMcards are seldom used effectively in Japan.Almost all users save the telephone directory, mail data, pictures, etc. on a memory.Can the data deleted from the memory be investigated with an existing product like Paraben?As it being another whether it can be realized with a cell phone of Japan…Thanks,Pied

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by SamirDatt 18 years ago

13 Posts

8 Users

0 Reactions

1,507 Views

RSS

mikkie

(@mikkie)

Active Member

Joined: 18 years ago

Posts: 10

30/03/2007 6:31 am

Not sure what you mean by "physical copy (not imaging)", but as above, the copy is always a image of the complete hard drive bit for bit (encase physical image etc - not logical), using a write-blocker where possible, or if not then using a boot cd and network aquisition or suchlike.

hi Rich,

I'm Japanese, so as Pied.
I'm also interedted in what pied pointing out.

We usually use Solo3(of ICS) and need new two HDD.
Step1 copy physical raw data from suspect HDD to evidence HDD(1) with Solo3.
Step2 make image data from evidence HDD(1) to another HDD(2) with Solo3.
Step3 connect HDD(2) with examiner PC.

But I have never read that process here. 😯

In your process, where do you save imege data? In examiner's PC or removable HDD connected with examiner's PC?
And do you always make image data from suspect HDD to there directly, whichever criminal case or that of civil?

could you tell us,Japanese, the actual way to preserve evidence.

thanks

ReplyQuote

Rich2005

(@rich2005)

Honorable Member

Joined: 19 years ago

Posts: 541

30/03/2007 4:41 pm

Well over here, ACPO guidlines are such that you want to get a copy of the information without making any changes if possible to the original data, noting down whatever you do, so the process is repeatable at a later date by anyone such as an opposing expert.
The location you store your image shouldnt really be an issue, other than the fact it needs to be reliable, so ideally a mirrored raid - portable or network server. When copying images around its always a good idea to hash them before/after too - as images have been known to corrupt when copying across networks. One you've acquired the image, its really personal preference how you examine it, as long as you document it, the evidence is preserved already via write blocker etc.
In general i would expect most people are probably storing their image files on a big raided file server, and perhaps/probably working off local copies off those image files during analysis.
Is this what you mean?

ReplyQuote

SamirDatt

(@samirdatt)

Eminent Member

Joined: 21 years ago

Posts: 24

02/04/2007 8:06 am

Hi Pied & Rich,

Hello from India.

In India we use Voom, ICS & Logicube for creating images or forensic clones. We use Forensic Write block bridges (www.tableau.com) while using software to create images.

I had heard that AccessData www.accessdata.com offers Japanese language forensic tools - you might want to visit their Japanese distributors (UBIC) site http//www.ubic.co.jp
for more info.

Hope this helps

Samir Datt
www.ForensicsGuru.com

ReplyQuote

Page 2 / 2 Prev

Forum Jump:

Previous Topic

Next Topic

Currently viewing this topic 2 guests.

8 Forums
15.7 K Topics
92.3 K Posts
309 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed