I think the reason, at least I would rib you, and not answer your question is because I (and I believe the other senior citizens here) like to teach how to fish, instead of giving you a fish.*
As earlier stated, much of this information is readily available. There are publications as to such "workflow" tempaltes by various law enforcement organization on most continents. I seen UK, Australian, French, and US LE agencies put out
I always considered the ability to find an answer to be more important than knowing the answer, at least initially in forensic science.
Thanks to everyone for their response so far. If I can clarify a bit more as to what I am trying to achieve here.
[…]
Hope this is not too detailed.
Cheers,
* Unless you are allergic to fish, in which case we can substitute bacon, and baconing - because everyone knows everything is better with bacon.
I think we could find an "agreement" if you could branch the question 😯
- 1. What is (are) accepted workflow(s) in a forensics examination of a Windows machine? <- this is theoretical/conceptual and "platform independent" (i.e. the steps to be taken are the same no matter if the forensic machine runs Windows, Linux or Solaris or BSD).
1.1 What are the tools that are commonly used (or that can be used) for each step in the above "platform independent workflow" when the forensic machine runs Windows?
1.2 What are the tools that are commonly used (or that can be used) for each step in the above "platform independent workflow" when the forensic machine runs Linux?
So, IMHO you need to first find (and choose) a "platform independent workflow", and then ask here which tools would members use to perform the tasks listed in the specific "workflow" you detailed.
Example
…
Step3.21 Make a forensic sound image of a hard disk
Windows Use a write blocker (or a WinFE) and use program xxx to make the image
Linux Use a write blocker (or a read only Linux distro) and use program yyy to make the image.
jaclaz
@jhup
JFYI wink
http//
My lovely bride made me apple pie….
With bacon wrapped in the crust. mrgreen
She loves me. She really does!
long way to say no then…
long way to say no then…
No one said "no", the request was to provide a more focus question or questions and perhaps a scenario that can be answered in less than 300 pages.
As I wrote in my first response the tools and techniques vary greatly depending on the type of case. For example in a bank fraud case I am not likely to use Adroit but am very likely to use Acerno; conversely in a stalking case I am very likely to use Adroit and not Acerno.
Your defeatist attitude makes it sound like no one wants to help, we want to help, however we are not going to spend hours responding because you refuse to do your part to focus your questions.
Haha, I can't believe i missed jaclaz's comment and jhub's reply on picky-ness for two days in a row, but I totally enjoyed it. mrgreen
Not that I disagree with the others that this is something you should really have the ability of researching on your own as a computer major of any kind, but we are really trying to help. The problem is you are looking for an definitive answer to an opinionated question. Its like asking if you should buy build or buy a computer; it depends on if you are willing to do self support, your budget, etc. Or asking if you personally work faster on command base of gui; its a matter of what you like and what you are familiar to. You can probably argue for either side and be right, at least to come degree. Just look at wiki for some tools and do forensics on those tools for both linux and windows, your personal experience is just as valid as everyone else's (as long as you don't make any mistakes).
Also, not to be picky roll , but you cant compare encase/ftk with dd for a linux vs windows comparison, you can install both on windows, but only one on linux. And dd is designed to do mainly a specific task imaging, encase/ftk is a suite.
long way to say no then…
Not really, I would say "average length way" to tell you that your question is too vast and vague to be answered, let alone answered properly, within the limits of a technical forum and asking you to make it more "narrower" and more "accurate".
Example (on a Carpenters Forum)
Q. How does a brick building compare against a timber one, and which tools are used for building them?
A1. They are different, though they have the same scope, and depending on the actual project and building approach, tools suitable for the specific task at hand are used.
A2. No way to answer properly, it greatly depends on the size, scope, location, available personnel/contractors and materials, budget, etc., etc.
A3. Maybe if you post your actual design, and a breakdown of the tasks involved, members might want to share how they would tackle specific tasks.
As you can see the question - as asked - makes no sense whatsoever, the good news are that you are not the first one with this kind of questions, compare with
http//www.forensicfocus.com/Forums/viewtopic/t=11376/
but they tend to lead to nowhere. (
jaclaz
i have the ability to research but I really don't have the time to nit pick, it was meant to be a simple question with a simple answer, that is all. I neither have a defeatist attitude or the appetite for time wasting arguments, this is meant to be a helpful forum ( and not a replacement for my own google searching either). I don't think it needs any further sub division or qualification, if it cannot be answered how it was, fair enough but lets not degenerate it to mud slinging or anything else. either answer the question based on what is asked or say you cannot help, that is it really.
… long way to say I am a grumpy old b*****d then… 😯
(which is OK ) , as I am a self-declared old, grumpy b*****d)
jaclaz
… long way to say I am a grumpy old b*****d then… 😯
(which is OK ) , as I am a self-declared old, grumpy b*****d)jaclaz
Well to be fair, you are a senior member here. D