SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Internet Evidence Finder (IEF): interview with Jad Saliba of JADSoftware.com

Editor's note: Brad Garnett recently had an opportunity to interview Jad Saliba, of JADSoftware about how he got started in computer forensics and about some of his company's products. Please note that JADSoftware has offered a discount to readers, see the details below.

Q: Jad, Take a minute to introduce yourself and give us some insight into your background. How did you get involved in computer forensics and software development?

I've been involved in software programming on and off for a long time, going back to my teenage years. I've always had an interest in system tools and figuring out what's going on behind the scenes in a computer. I went to college and studied computer networking and programming, and worked in the industry for a short while before getting into law enforcement, which is another passion of mine. I didn't want anyone to know about my computer skills when I first got hired!

...


Helix 3 Pro: First Impressions

I have used several versions of Helix over the recent years. I enjoy the tool set and recommend it to forensics colleagues, sysadmins, and even family members.

Quite a substantial ruckus was raised this year when e-fense announced that Helix 3 would no longer be free to download. Instead, would-be users must pay to register as a forum user to get access to Helix 3 Pro updates for a year.

I took the plunge and

...


Mounting Images Using Alternate Superblocks (Follow-Up)

Hal Pomeranz, Deer Run Associates

Several months ago, I blogged about using alternate superblocks to fake out the ext3 drivers so you could mount file system images read-only, even if they were needing journal recovery. However, due to recent changes in the ext file system driver the method I describe in my posting is no longer sufficient. Happily, there's a quick work-around.

Let's try the solution from the end of my previous posting under a more recent Linux kernel:

# mount -o loop,ro,sb=131072 dev_sda2.dd /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is

...


The Failed Hard Drive, the Toaster Oven, and a Little Faith

OK, everyone knows that heat kills electronic components, right? Never subject any electronic component to heat. Unless that makes the component work, that is''

Confession is good for the soul, they say, but bad for the reputation. So I'll tell the story this way. You see, there was this "friend of mine" whose hard drive failed. I mean, it was working fine the night before when I, er, he shut down his computer. But the next morning he turned it on and all he got was "shicka, shicka, shicka, shicka, shicka," then a pause, then five more attempts, then five more, and so on until the drive finally said "sorry''" and shut itself off. Now this guy hasn't been taking his own advice about backups for a while and - you guessed it - he hadn't backed up his Quicken off drive

...


Best Practices In Digital Evidence Collection

Evidence handling procedures are evolving

Evidence handling is clearly one of the most important aspects in the expanding field of computer forensics. The never-ending innovation in technologies tends to keep best practices in constant flux in effort to meet industry needs. One of the more recent shifts in evidence handling has been the shift away from simply "pulling the plug" as a first step in evidence collection to the adoption of methodologies to acquire evidence "Live" from a suspect computer.

The need for changes in digital evidence collection are being driven by the rapidly changing computing environment:

  • Applications are installed from removable media such as a USB stick and are then virtualized in RAM without a trace on the hard disk
  • Root kits hide within process undetected by the underlying operating system and when using local tools (binaries) - you must analyze memory with trusted

... Continue reading Best Practices In Digital Evidence Collection