Yes m7Sec that is exactly what I am talking about, my exam drive (containing forensic tools for each case)
I plan on doing it, being in law enforcement for so long its better to always CYA.
Thanks again
My Recommendation
1) Forensically wipe your Forensic Workstation's hard drive.
2) Install base OS XP, Linux etc (your preference) and all your forensic tools. Ensure that you have all current critical OS patches, AntiVirus with current defs etc.
3) Create a image of you forensic workstation's hard drive.
4) Work on your case (#1 for example).
5) When case is completed or closed forensically wipe your drive of your forensic workstation.
6) Restore the image created in step 3 to your forensic workstation's drive. Update critical patches, Virus defs etc.
7) Create another image.
8) Work on case (# 2 for example) and when case is completed or closed, start with step 5 thru 7 to prepare for next case.
So Basically all you have to do is maintain a current image of your forensic workstation and just restore it everytime after forensically wiping your hard drive at the end of each case so it is ready to go for next case.
I disagree with the instruction to wipe on each occasion. If you are making a forensically sound 'image' of the suspect drive using say EnCase or Linux DD (to DD image files), and most practitioners use this method, then there is no point what-so-ever in wiping the storage drive each case…You are wasting your time. An ‘image’ is an exact bit for bit copy of the original held in a 'container' (either DD or EnCase proprietary evidence files). Therefore, there is no chance of cross contamination from previous cases. The image is verified with a hash value, change one single bit from a one to a zero and the hash is entirely different, this would be spotted during the authentication procedure as Greg rightly mentions.
Also many practitioners now store and investigate cases on a large capacity server, so wiping isn’t feasible.
If you are copying directly the entire file structure to another disk and replacing it in the original machine and examining it in its native environment, then yes under these circumstances I agree, it would be best practice to forensically wipe the storage drive, as there may well be cross contamination……
Andy
Andy
Thanks for your input, however, I think you are talking about the "storage" medium used to copy the suspect drive to. I am talking about my "exam drive" the one that holds the forensic tools to complete the exam. e.g (Win 98 & XP).
I may be mistaken but this is how I read your post. Please elaborate.
Thanks again for your help and insight
Mark
Yeah, you are correct - I'm sorry I misread the post. For what its worth I still do not see any point in wiping the drive that contains your OS and tools. Often during an exam I download tools and viewers, and create test areas, files and folders, but mainly do experiments in a VMWare box. It would be more of a pain to relay a clone on each occasion for my particular machine, as its a dynamic ever changing computer. I can see the argument for it, but how you would contaminate an 'examination' perhaps needs some explanation!
I use EnCase so its evidence files are in a safe contained environment. It only becomes a security issue if I extract a file and execute it on my forensic workstation. My thoughts are its overly paranoid.
Andy
Another option is to conduct the entire exam in VMWare (given you have enough RAM in your host machine). Then, with everything in contained in the VMWare file folder, nothing creeps onto your host machine, and it is easier to start over again with a backup of that virtual machine.
In theory, you could even store the virtual machine onto DVD's or a small hard drive for posterity (court..), and the entire operation system, patches, software, and updates would remain as it was when you conducted the exam.
Personally, I have a backup of my forensic machine, and restore it after some time to get rid of cluttered data on my machine (that always seems to happen and it is easier to restore a clean drive than clean up my cluttered drive).
Brett-
Good example using VMWare. I do not know much about VMWare yet, just started playing with it, and I have a few questions.
1. How do you connect a USB or Firewire device to a computer running on VMWare without it also connecting to the host machine?
2. Can malicious code also infect a VMWare session from the host machine connected to the network?
3. Can you run a beefy Host machine on a network with Internet Access, and run a VMWare session and be sure that outside influence not affect a VMWare session like it wasn't connected to the network?
The reason I am saying this, is your option is very intriguing. I am looking to build a new forensics system, and using my old system for Personal use. However, if I can beef up my current system and use VMWare as the option as stated above, it would save me some money, needed space, as well as build a better, more powerful system. I just want to verify that using VMWare doesn't change the integrity of the OS, Tools, and evidence.