Good Morning,
This may seem a tad trivial but I'd welcome some outside opinion. In a corporate environment, with a medium level of activity requiring evidence seizure. Getting more and more data to seize so looking at having to place evidential data on HDD's. I would have a concern around the fact that the HDD is read/write media though obviously it can be cross verified from the original to demonstrate it's authenticity.
My question is what strategies does anyone else use, do you archive evidential data to HDD, if so do you put more than 1 case on 1 HDD using seperate partitions? Do you use USB sticks to hold data?
Thank you very much
Just to confirm…..
When you say "looking at having to place evidential data on HDD's" I'm assuming that you mean E01 files?
If so
Why do you have concerns about writing to the E01. As far as I am aware, the only way to write to an E01 file would be to acively edit it using some kind of software such as a Hex editor for example. However, if you were to edit the image then it wouldnt verify during the CRC verification process anyway. Once the E01 has been created, just make sure that it is verified and you can obtain th esame hash values for the image as the original copy, that way you know that it is identical.
There is no right or wrong way to store data and everyone will have different opinions about what is best, but ultimately I think it is what works best for you. My main advise would be to make sure that you have at least two copies of the image taken on two different storage mediums. This way if one fails you always have the other to fall back on.
With regards to partitioning the drive I dont see why that would be of any use, would just make things more messy?
I would say that you can put as much a data onto a HDD that it can hold.
I like to store the workng E01 in my lcoal mahcine so that it processes quickly ("quicker should I say") and have 2 extra backups on separate drives just in case.
Hope this helps
Hi, I was once in your shoes - pretty much still am in fact, in a team of one (
Must confess though that I'm a bit surprised that you're looking to put evidential data on HDDs - where have you been putting it up till now?
Anyways, first incident I had to work on, I was working with an IT guy who partitioned 3 hard drives so that we could 'image' using Ghost (v 8) five suspect drives. Would never do it again, we found we could eliminate 4 suspects and were left with one drive with two suspects' data on it (remember, Ghost, not FTK Imager). So couldn't get rid of the non-suspect's data for fear of messing with the one real suspect's data.
AFAIK "Best practice" used to be to put evidential data onto HDD, nowadays I understand that the standard has moved on to storing on RAID - not available to all of us with no budget unfortunately.
FWIW (and I've only dealt with Windows systems and not in any kind of memory forensics so far), I use Tableau write-blockers to make complete or custom images. I normally use one target drive per suspect (meaning I can get internal HDDs, USB sticks etc) onto a single drive. Other times - if there are two internal drives or if the user had an external drive (or more) as well - I'll use two or more target drives per suspect.
I wipe the target drives after use, using DBAN - not strictly necessary according to one thread on here, but old habits die hard. Plus, I like to know that on the odd occasion when I issue a drive to someone in IT who "really needs it", there's nothing on the drive. A target drive in use has red tape on it with the case number written on it, a target drive which is wiped and ready to use has green tape on it, a target drive awaiting wiping has yellow tape on it (again with the case number).
For process education, I downloaded ACPO Guidelines, a bundle of stuff from SANS and other places and (after 4 years) finally got on SANS408 last year. For tech stuff, Harlan's books, Brian Carrier's File System book, and all the blogs I can find. Guy from an external consultancy who worked on that first case helped me out with some names and some places to go look.
HTH?
Cheers
Guys,
Thanks so much for the replies.
@cmjdurkin - it's actually evidential info such a mail archives or network share that I'm envisaging may need to go on HDD.s, not the E01 files.
Up to now, we've used CD, DVD, DL DVD but the trend is for huge mail archives & therefore the data gets un manageable moving to this medium.
Hence my look at HDD's or USB, some form of storage with larger capacity.
@cults14 - I'm thinking along the same lines as yourself. I think cmjdurkin was 100% right, partitioning drives is too messy.
What I would hope is to go 1 HDD per case with mail or mail + archive or whatever. Make 2 copies, bag & tag including evidence number.
My concern is that it's still r/w media so maybe a set of encrypted USB's are better (they would be cheaper anyway, small HDD's are near impossible to find ))
Is there anything glaringly obvious that I'm missing in terms of storage here, e.g. any way that moving to HDD could make something un-usable or in admissable
Thanks again
I was just thinking if the files are kind of 'loose' i.e. not in an image container it might be worth putting them in one. You could create a logical image using FTK Imager or EnCase to contain the mail archive files etc. thereby providing yourself with the integrity checking and hashing. When required at a later date it would then be a simple case of exporting the files back out of the logical image to access them if you did not have a full version of either FTK or EnCase.
Alternatively you could put them in an encrypted container using software such as TrueCrypt and then when you subsequently mount the container you could mount it read-only and prevent writes.
If neither of the above options suits you could always hash the individual files and store a list of those hashes in your case file as well as with the files.
I think it is also very important that you are keeping your contemporaneous notes.
We keep the stuff we are currently working on locally on RAIDs but the Master copy is archived off and sent to offsite storage. I don't think there is any issue with archiving to HDD, pretty much every forensic unit does it. We have just moved from tape because the tapes were getting too expensive and time consuming for the amount they could hold.
HTH )
Thanks kiashi,
That helps a lot. We do has the files & keep the hashes but I like the idea of the logical image using EnCase. In total agreement with you on the contemporaneous notes - it's saved my skin on a few occasions to have them!
Thanks everyone