Forums
Main Category
General (Technical,...
ILooKIX - What do y...
 
Notifications
Clear all

ILooKIX - What do you think?

 
Page 5 / 7
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 12 years ago
69 Posts
17 Users
0 Reactions
10.5 K Views
RSS
 armresl
(@armresl)
Noble Member
Joined: 21 years ago
Posts: 1011
23/04/2013 11:40 pm  

This boggles my mind. How can you be in CF since 2004 and not know much about Encase or FTK.

If you are doing criminal work and there is an expert for the defense, they surely use one of the two and If I was on the other side where you only used one tool and didn't use another either for cross validation, or to see if there was more data available. Then I would have a lot of questions for you.

I am a very happy ILooKIX user FWIW and a full time police officer. I am a detective and lead my county's computer forensics laboratory. We are an affiliate of the Pennsylvania ICAC Task Force. The lab receives computers and cell phones from every crime in the PA Crimes Code. We also assist ICE as part of their child exploitation task force. ILooKIX is our computer forensics tool. I have personally met Siggi and dacton and know them to be full time law enforcement officers from agencies outside the United States. I don't much about EnCase and FTK so I won't bash their products. I got involved in computer forensics around 2004 and used ILook v7 because it was free. Later I used v8 for the same reason. I can also say that anyone who has purchased ILooKIX has easy access to Jim Baker, the boss at Perlustro. I'm not sure the man sleeps more than a couple of hours per day.

I don't know if that helps clarify anything or not, but that's my two cents.

Detective Ryan Parthemore
Upper Allen Township Police Department
100 Gettysburg Pike
Mechanicsburg, PA 17055-5604
Ph 717.795.2445 Fax 717.790.9410
http//www.upperallenpolice.com


   
ReplyQuote
 RyanP
(@ryanp)
Active Member
Joined: 15 years ago
Posts: 19
23/04/2013 11:59 pm  

I don't see the reason to use a second automated suite to validate. There are manual methods and basic tools to verify findings. There are those that only "know" the evidence exists because their tool told them. I'd rather verify manually.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
24/04/2013 1:02 am  

I don't much about EnCase and FTK so I won't bash their products. I got involved in computer forensics around 2004 and used ILook v7 because it was free. Later I used v8 for the same reason.

Good. )
Since you are a long time user of the tool (and you use it exclusively or prevalently), do you use the IXimager with or without a writeblocker?
dacton just posted that the intended use is without it, but you reported elsewhere how you often use writeblockers
http//www.forensicfocus.com/Forums/viewtopic/p=6557136/#6557136

jaclaz


   
ReplyQuote
 RyanP
(@ryanp)
Active Member
Joined: 15 years ago
Posts: 19
24/04/2013 1:11 am  

Yes, I use a writeblocker in conjunction with IXImager. I have tested IXImager without a writeblocker and have never seen it write to a drive, yet I still use them.

I do not image a drive while still connected to the subject machine if I can avoid it. Since the drive is out and being imaged on a dedicated imaging workstation, I need an interface between the evidence hard drive and imaging workstation as well as a power source; may as well be a write blocker.

I also like the insurance that nothing can be written to the drive even if the operator makes a mistake.

We do take a speed hit using the writeblocker, but I'm okay with that.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
24/04/2013 6:03 pm  

Yes, I use a writeblocker in conjunction with IXImager. I have tested IXImager without a writeblocker and have never seen it write to a drive, yet I still use them.

This is something I will never be able to understand 😯 (not really connected to the specific IXimager, only as a general point).
If something is supposed to NOT write to an evidence disk, and it is verified to NOT write to an evidence disk, and you can testimony in court about it, then making additionally use of a write blocker seems a lot superfluous.
If you use a writeblocker, then you can use each and every tool/OS as the writeblocker will take care of writes (if any) and there is no reason to use a "specially crafted to NOT write anything tool/OS".
It seems pretty binary, 0/1 or On/Off, to me.

I do not image a drive while still connected to the subject machine if I can avoid it. Since the drive is out and being imaged on a dedicated imaging workstation, I need an interface between the evidence hard drive and imaging workstation as well as a power source; may as well be a write blocker.

Sure D , I presume that his happens because Mr. Tableau and Mr. Wiebetech wink give away them writeblockers for free.

JFYI, I needed something to hang my hat and coat on, now I could use a coat rack, or a single hook fitted to the wall of my room, something like, you know
http//www.tipjunkie.com/diy-decorating/20-diy-coat-rack-ideas/
but I said to myself, why not using this instead?
http//cdn.lulztruck.com/wp-content/uploads/2011/11/Mostexpensivecoatrack.jpg
roll

I also like the insurance that nothing can be written to the drive even if the operator makes a mistake.

We are again in the above, if the operator makes a mistake while running a tool/OS that already prevents each and every write, it is not IMHO an insurance, it is an additional unneeded link in the chain that may go wrong (and fry an evidence HD as you reported) with the additional drawback of the increase in image time you also report

We do take a speed hit using the writeblocker, but I'm okay with that.

jaclaz


   
ReplyQuote
dacton
 dacton
(@dacton)
Eminent Member
Joined: 16 years ago
Posts: 22
24/04/2013 9:10 pm  

I do not image a drive while still connected to the subject machine if I can avoid it. Since the drive is out and being imaged on a dedicated imaging workstation, I need an interface between the evidence hard drive and imaging workstation as well as a power source; may as well be a write blocker.

Sure D , I presume that his happens because Mr. Tableau and Mr. Wiebetech wink give away them writeblockers for free.

Anyone working in forensics has a few writeblockers laying around. No imager works all the time and sometimes writeblockers are used for tasks that are not imaging. Are you proposing that he buy even more equipment because the writeblocker does more than is required for the task?

I also like the insurance that nothing can be written to the drive even if the operator makes a mistake.

We are again in the above, if the operator makes a mistake while running a tool/OS that already prevents each and every write, it is not IMHO an insurance, it is an additional unneeded link in the chain that may go wrong (and fry an evidence HD as you reported) with the additional drawback of the increase in image time you also report

We do take a speed hit using the writeblocker, but I'm okay with that.

jaclaz

I don't think there is an imaging tool in existence that prevents each and every write. It has to write to something or there is no image.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
25/04/2013 1:56 am  

I don't think there is an imaging tool in existence that prevents each and every write. It has to write to something or there is no image.

Implied "to the evidence disk". evil

Maybe I am the only one using logic (or my logic is a particular kind of logic 😯 ) but till now I had gathered that a Writeblocker was something used to prevent writes (to the evidence disk) IF the whatever tool used attempts to write to it.

If the IXimager (or WinFE for that matters, or any number of forensic oriented Linux distros) does NOT write to the evidence disk, the usage of a Writeblocker is superfluous.

BTW you just wrote how specifically IXmager is intended to be used without a Writeblocker, which should mean that it is "guaranteed" to NOT write anything (to the evidence disk), whilst RyanP just posted that he uses nonetheless a writeblocker in connection with it, even adding how this causes a slowdown of operations as a "side effect".

Carpenter's example
A torque wrench is an expensive tool used to tighten at the correct torque a nut/bolt when there is a risk of over or under tightening them.
If you need to tighten breakaway nuts
http//www.tufnutworks.com/subcategory.aspx?id=23
you use a normal wrench, or even a pneumatic one (faster) at "full torque setting", as you need NOT to make sure that you have tightened them at the right torque.
Using a torque wrench on breakaway nuts is superfluous (and slower).

jaclaz


   
ReplyQuote
 RyanP
(@ryanp)
Active Member
Joined: 15 years ago
Posts: 19
25/04/2013 2:35 am  

The logic of arguing on an Internet message forum escapes me. You asked a question, I gave an answer. If you choose to handle things differently, so be it. The folks at Perlustro would agree with you. I simply prefer the use of a WB.


   
ReplyQuote
dacton
 dacton
(@dacton)
Eminent Member
Joined: 16 years ago
Posts: 22
25/04/2013 2:37 am  

Maybe I am the only one using logic (or my logic is a particular kind of logic 😯 ) but till now I had gathered that a Writeblocker was something used to prevent writes (to the evidence disk) IF the whatever tool used attempts to write to it.

If the IXimager (or WinFE for that matters, or any number of forensic oriented Linux distros) does NOT write to the evidence disk, the usage of a Writeblocker is superfluous.

I think a writeblocker is something that does prevent writes to anything attached to it (assuming it is working correctly) by anything that might write to it. (new exception with SSDs which can have writes made to them even on a writeblocker) cry

BTW you just wrote how specifically IXmager is intended to be used without a Writeblocker, which should mean that it is "guaranteed" to NOT write anything (to the evidence disk), whilst RyanP just posted that he uses nonetheless a writeblocker in connection with it, even adding how this causes a slowdown of operations as a "side effect".

IXImager can be used with a writeblocker, it's not like it won't work if the evidence drives are behind a writeblocker. It can also be used without a writeblocker and if it is used without a writeblocker there are additional features available.

debbie


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
25/04/2013 2:52 pm  

The logic of arguing on an Internet message forum escapes me. You asked a question, I gave an answer. If you choose to handle things differently, so be it. The folks at Perlustro would agree with you. I simply prefer the use of a WB.

I am not at all arguing ) , I am trying to understand reasons of used procedures.
Sorry if I gave you the impression of being attempting to argue with you, it's not the case, I was only trying to get at the core that motivates one procedure over the other.

To give you a very similar example, I was (among others) perplexed by the common practice of wiping (00'ing) disks and hashing them to prepare them to receive the image, as - from a purely technical standpoint - there would be no reason for it.
jhup provided a very logical (though fighting against theory) practical reason
http//www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=13/
that I perfectly understand.

He prefers to always 00 and hash disks, knowing that it is not strictly needed, because in his experience this routine takes him far less time (and the added stress to disks is negligible) than having to explain to non-technically savvy people in court why this - that has become *somehow* a "standard" procedure - is not needed.

Of course one could "prefer" to use the voodoo of the whole 35 Guttmann passes before wiping with 00's in the above, but that would still be (largely) superfluous and the cost/benefit analysis would have different results.

jaclaz


   
ReplyQuote
Page 5 / 7
Forum Jump:
  Previous Topic
Next Topic  
Share: