Since when did it become acceptable in Forensics to Tamper with Live Evidence?
Tampering with evidence is of course not acceptable and I don't think anybody is stating that.
However, live forensics (as in doing an acquisition on a running system) is increasingly important, as this will can allow you to retrieve useful information that you can't retrieve when doing a 'classical' hard drive acquisition. And yes, if you do live forensics (run FTK Imager lite on a system, use COFEE, insert a Helix USB stick, run your own set of scripted commands, and so on) you are modifying memory and possibly hard drive contents.
If you carefully take notes of what you are doing and use known tools, any artefacts inserted by the investigator can be explained and should not negatively impact any conclusions drawn.
see two things wrong with this; Pedophiles getting let off on a technicality and Microsoft doing what it does best by paving the way forward for a huge anti-trust lawsuit!
References to pedophiles are IMHO becoming some sort of [url=http//
In the anti-trust statement I am simply saying how can you trust COFEE to do the Job when a Virus that spreads via USB could in theory alter the MD5 sum of COFEE itself.
Lets not forget it's closed source, I dont trust it, I would rather use Guardian Digitals encase USB. If COFEE was made open source then there is a willing community of people who would help to contribute to it of that there can be little doubt.
But there are a lot of things to consider, does it being a Microsoft Product simply recover passwords from Internet Explorer and not Opera, as Opera is a Non-Microsoft product, and did they take that into account when they made the tool? Food for thought!
you are modifying memory and possibly hard drive contents.
In forensics thats frowned on which is why people have spent a great deal of time developing ways to Mirror a suspects hard-disk drive using tools like LibEWF so you can read from the Disk-Image, you never write to it or modify it's contents that is a huge "No, No" as the courts take the dim view thats Data-Tampering and modifying the Evidence which leads to the Evidence being classed as inadmissible!
In the anti-trust statement I am simply saying how can you trust COFEE to do the Job when a Virus that spreads via USB could in theory alter the MD5 sum of COFEE itself.
Ah, that would however be a quite literal interpretation of anti-trust ) and would definitely be different from the earlier
Lets not forget it's closed source, I dont trust it, I would rather use Guardian Digitals encase USB. If COFEE was made open source then there is a willing community of people who would help to contribute to it of that there can be little doubt.
I don't think EnCase is open source either?
A tool is just a tool, you should know its possibilities and limitations and wherever possible verify any findings using another tool or using manual verification. Just like a hammer doesn't automatically build a table, a forensic tool won't automatically find the evidence and write your report.
A lot has been said about COFEE already. It's a tool for a specific niche type of operations (as in unskilled people being the first onsite), does not give you all the secret keys to the MS kingdom and is LE only for some unknown reason.
I concur that for untrained personnel who need to say secure the password quickly to find out who they've been talking to over the Internet, then it presents a distinct advantage, whip it out your pocket and away you go.
But I'll stick to using tools like Guymager and Sleuth-kit for analyzing Data recovered from a suspects Machine. When you present your findings in Expert Witness Format, then there is no grounds for Defense.
I don't think EnCase is open source either?
EnCase Linen for Linux was but its been superseded by better and faster.
Helix is also a little bit dark ages, try an ubuntu DVD, free forensics tools are in the synaptic repository. )
People don't have to be an Expert to use them, but reading the Manual that comes with the tool always helps. Being open source it also stands up to scrutiny better..
Edit Oop's Just checked Helix and saw its now Version 3 Enterprise, shows how long its been since I looked at that.. Too busy reading about DECAF and OCFA. oops
http//ocfa.sourceforge.net/
Hmm I missed this part 2 posts back
you are modifying memory and possibly hard drive contents.
In forensics thats frowned on which is why people have spent a great deal of time developing ways to Mirror a suspects hard-disk drive using tools like LibEWF so you can read from the Disk-Image, you never write to it or modify it's contents that is a huge "No, No" as the courts take the dim view thats Data-Tampering and modifying the Evidence which leads to the Evidence being classed as inadmissible!
I tend to disagree. Your description depicts the situation as it was a couple of years ago, when indeed every modification to an original drive could easily lead to the evidence being challenged and even made inadmissible.
However, sticking to that method will (in specific cases) lead to valuable and possibly essential information being missed. That's were live forensics comes into play. And just to make sure we are talking about the same thing in a lot of cases you will still create a disk image in such a cases, but you might run some tools before you do that to capture RAM contents or running processes, and/or you will run your imaging software while the system is booted (for example to access an encrypted volume).
A live image is in my opinion and experience definitely not something you can't use in court. More and more forensic policies and standards are updated to reflect this (not to reflect my opinion, but the contents of my opinion ;)).
You've hit the nail on the head.
Gh0st, I'm sorry to say, but you're a little stuck behind the times. Live forensics evidence has been used in court and has been accepted.
I can't speak for Cofee, I've never worked on it. But as I was part of a team instrumental to building live forensics software in the past, I can assure you, your concerns are unfounded and also not necessarily accurate.
In the case of the live forensic applications I worked on, NO changes were made to the HDD. There was no need for data to be written locally.
Now for very obvious reasons, some changes will be made to ram. After all, a program has been executed. However, the footprint should be kept to a minimum and as already stated, what is gained far outweighs what is overwritten.
What if you power off a system with full disk encryption? You will most likely never get this evidence back. Image it while it's live and you have all you need to process the case….