> …you are teaching students on software that is by far the most widely used windows forensic application out there.
IMHO, teaching EnCase for that reason is a mistake. Forensic analysis should be about using the right tool, not just about using EnCase. Yes, EnCase is the most popular…but it's that way for the same reasons that Gate's MS-DOS became the most popular OS at the time, over Kilhdall's CP/M.
Forensic examiners and students alike should know how things like file signatures work first, *then* should they decide to use that technique (or any other) learn how to do so in a particular application.
While I agree with you that knowledge of the process itself is the most important thing if one is required to profer expert witness testimony, who is to say that the process cannot be taught along with the tool most suited for the job? And I do believe that EnCase is the one most suited tool for the job of providing digital forensic analysis (if I had to pick just one). I don't consider myself a GSI fanboi, but when it comes to digital forensics, EnCase is the defacto standard (for a reason), and the fact that it's the standard does make it important to teach when you consider the context of why that's important to the field.
Everything about digital forensics is done so that information obtained can be offered as evidence in court. Without that point in mind, all of this could be described as glorified data recovery. The fact that there are legal standards for what is admissible in court and the fact that EnCase has been challeneged and accepted more than any other digital forensics tool makes it a perfect reason to teach to newcomer's to the field.
To quote from EnCase's legal journal
The final prong — whether a process enjoys “general acceptance” within the
“relevant scientific community” — is a particularly important factor strongly considered
by the courts in validating scientific tools and processes. “`[A] known technique that has
been able to attract only minimal support within the community,' … may properly be
viewed with skepticism."66 EnCase software is without question the most widely used
computer forensic process in the field. Thousands of law enforcement agencies and
companies worldwide employ EnCase software for their computer investigations. In
addition, EnCase software has over twenty thousand users, and Guidance Software
trains over four thousand students annually in the use of EnCase software. The
widespread general acceptance of a process is often considered to be the most
important prong in a Daubert/Frye analysis. In addition, even outside the litigation
context, there are practical considerations if it should become necessary to replace an
expert, his or her use of standard software will make the transition to a replacement
expert much easier.
Knowing what a file signature is and it's releavance to forensics and why it's an important topic to know and how to make use of that knowledge are all things which can easily be taught using EnCase…all you really need is a hex viewer, the ability to highlight things and a good teacher.
Having said all that, I think the OP's best bet is to use FTK Imager. It's Windows-based, it's free, it can create images in multiple formats, it provides a hash value of the acquired image and it has the ability to read images; this should all meet his criteria. Using EnCase w/o a dongle just to create an image is pretty anti-climatic.
Jeff
One additional note to the OP which he should be aware of (I hope) - If you're using Windows as opposed to Linux to image a drive, you will need to use a hardare write-blocker (in keeping with the true spirirt of forensics…), as Windows does not have the same software write-block capabilities of Linux, with the exception of the reghack for external USB devices. So making for the exception of not having a hardware write-block device handy for the IDE drives, you could hook up the internal IDE drives to an external USB enclosure and make use of the reghack to ensure that the device and thus the drive are protected from any modification.
Otherwise, you'll need to use a bootdisk to image in Linux or DOS.
Jeff
Have a look at http//
There are lessons on both Linux and Forensics - both are light in content ( for example - there is no discussion of imaging ! )- as they aren't designed to teach practitioners, rather to slightly educate the yoof of today, in 30 mins in a classroom - but may be a good place to start - as they are also targeted at approximately the correct age group for what you are looking to do …
There aren't any exciting imaging tools. Every GUI is point and click ("select source", "select destination" and "image it"). Not much more than that. For high school kids, you probably have an easier time showing Wargames than imaging.
But at least the point of 'do no harm' to the original evidence being one the considerations and methods to do that would be good. For demonstration purposes and time considerations, you could always have the kids image a floppy or CD, or even image a small USB drive, all directly to your host machine in a few minutes. Same concept really, but better than watching the paint dry as a hard drive is imaging.
With respect to the post about using the GUI and you don't have to know any Linux I respectfully disagree. You _do_ need (or you should) to know Linux if you're going to use any Linux application proficiently.
For example, let's say you use the GUI app referenced and you don't know Linux;
- How will you identify the target and destination media?
- How will you troubleshoot why a device is not recognized? (Or, perhaps it _is_ recognized by the Linux kernel, only incorrectly or in a manner that you do not recognize)
- How will you articulate what you did and why? (IE, explain what the tool did and how, and why you selected that application (tool))
- Perhaps there is a more efficient way to do what it is you want to do. But how would you know this if you don't know and understand the operating system environment you are working within?
Just some random brain droppings …
farmerdude
http//
http//