Hello All,
I'm currently going into my junior year of Digital Forensics and I have used pretty much every industry standard tool that is available.
I have my preferences which don't need to be discussed here (another post can be made for that) but what I'm really looking for is people's opinions/ application of linux based tool kits.
I have used helix 3 pro, Backtrack, Sift and REMnux and have found all of them to be fairly useful. Unfotunately every company I have done work for does not authorize the use of these due to the fact that it isn't the "standard".
I personally love the Linux distros and have used them to perform many duties more efficiently than a windows machine could handle.
So really there are 4 topics I'm curious about
1. What Linux Distro's do you use and how so?
2. What do you see as the future of these freeware Forensic applications?
3. Have there been any cases you know of where the use of these systems has been applicable in court (I realize helix 3 pro is used often but others)
4. and finally are there any great distros you would like to share with the community?
Thank you kindly and can't wait to hear your responses!
-Ben
1. What Linux Distro's do you use and how so?
We use Ubuntu and Helix, usually for imaging the laptops where removing the hard drive could give harm to other parts, thus making the warranty void. We boot laptops with one of these distros and acquire the image of suspect hdd in raw format and make the examination in other reputable sofware such as Encase or FTK.
2. What do you see as the future of these freeware Forensic applications?
They will be less trustable but will always remain as handy tools.
3. Have there been any cases you know of where the use of these systems has been applicable in court (I realize helix 3 pro is used often but others)
Courts in (where I live) still do not know anything about these issues. Only in serious cases do lawyers whether the examination is acceptable.
I have used helix 3 pro, Backtrack, Sift and REMnux and have found all of them to be fairly useful. Unfotunately every company I have done work for does not authorize the use of these due to the fact that it isn't the "standard".
I don't understand this. What is the definition of "the standard"? What "standard" does SIFT, for example, not meet?
I have almost 10 years of using Linux or Unix (FreeBSD) in forensic examinations. In the over 300 cases where I used *nix and not a windows based or hardware based tool, I've never had a successful challenge against the methodology.
Any toolmaker who suggests their tool is the "standard" is selling a load of marketing hype. It's the examiner, and not the tool that is testifying.
Validate, validate, validate.
When it comes to acquiring damaged HDDs there is no comparison between Linux with dd_rescue/dd_rhelp and any tool for Windows. Here Linux is really unbeatable. Many of the broken HDDs I imaged were not even detected under a Windows OS.
Ehuber I want to address your question. I currently work for a fortune 100 company on the Digital Forensics side of the Enterprise Information Risk Management area. I personally have a tool kit with Linux Distros which I love but HR, the paralegal team and my boss even do not approve me using these tools. As I understand it they do not want anything being used that the government wouldnt use.
AGAIN this is according to what they know. A fortune 100 HR manager is not going to know muh of anything beyond FTK and EnCase. I understand that they meet a forensic standard and as long as you know how and why you are doing what your doing that is what is ESSENTIAL!
But in the corporate world you do what your told, now that I am able to put my foot down and have some leverage I am expanding everyone in my department's knowlwedge and applicability of these tools but it is not easy in the least.
So really I understand that these tools meet every standard they must and I prefer them for many applications. Corporate America does not recognize this fact that open source isnt the source of all evil and therefore They have locked down any chance of using that software on anything unless it is an absolute necessity.
Maybe that is what I want to know about
Has anyone else had to deal with the ignorance of the coroporate world in the process of investigations. Maybe this company just needs time to educate themselves and understand the field but as I see it they are simply limiting the tools we could use because they are free*.
does this help clarify things at all?
Sorry for all the typos in my last post I was in quite a rush!
AGAIN this is according to what they know. A fortune 100 HR manager is not going to know muh of anything beyond FTK and EnCase.
Maybe this company just needs time to educate themselves and understand the field but as I see it they are simply limiting the tools we could use because they are free*.
It sounds as though you need to do a better job at telling them what tools you need to use. The company doesn't need to educate itself, you need to educate them.
You are right, a fortune 100 HR manager isn't going to know much. All they know is catch words anyway. You should think about putting together a presentation to explain what tools you are going to use. Be proactive.
I have to apologize, but I am still confused about the forensic standard issue of Linux distros & open source software. Would you be so kind as to provide a link or reference to such. Thank you.
You are right, a fortune 100 HR manager isn't going to know much. All they know is catch words anyway. You should think about putting together a presentation to explain what tools you are going to use. Be proactive.
Exactly!
That is what I'm working on doing here. As I said I am only 20 years old and working for this company for about 5 weeks now so I'm doing my best to acclimate to a company of this size. I am currently working on developing a presentation to explain all of this and be there to field every question that could possibly come up with. I'm still new to this in a job sense as I still have two years of school before I graduate. So really I feel like i need to unload everything I know onto them to help them understand what it is we actually do.
It's funny you suggested this because right after posting I confirmed a meeting with everyone I need to talk to in a few weeks so hopefully it should be a great session and increase the effectiveness of the departments working together.
If it seems I am somewhat Amatuerish at this job its because I am by every definition of the word. Again just 5 weeks in here go easy on me )