SANS Digital Forensics and Incident Response Blog: Category - Evidence Acquisition

Best Practices In Digital Evidence Collection

Evidence handling procedures are evolving

Evidence handling is clearly one of the most important aspects in the expanding field of computer forensics. The never-ending innovation in technologies tends to keep best practices in constant flux in effort to meet industry needs. One of the more recent shifts in evidence handling has been the shift away from simply "pulling the plug" as a first step in evidence collection to the adoption of methodologies to acquire evidence "Live" from a suspect computer.

The need for changes in digital evidence collection are being driven by the rapidly changing computing environment:

  • Applications are installed from removable media such as a USB stick and are then virtualized in RAM without a trace on the hard disk
  • Root kits hide within process undetected by the underlying operating system and when using local tools (binaries) - you must analyze memory with trusted

... Continue reading Best Practices In Digital Evidence Collection


Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix

Doing it the HARD way!

Perhaps you remember my previous blog on EnCase and PointSec, which included my plea for Guidance Software and CheckPoint to work together to create a seamless way to decrypt drives without having to go through 20 or 30 steps to get there. I even wrote, out of desperation, A Case for Decryption of the Original, because it would save time consuming steps and not change the data relevant to an investigation.

Time for an update. As noted in my last blog on decrypting the original, VMWare no longer recognizes a raw disk as a valid disk image. Images have to be converted before

...


Acquiring Data from Windows Mobile Devices

During the debut of SEC563 Mobile Device Forensics last week, Eugene Libster from ManTech brought to my attention the open sourceitsutils package for extracting from Windows Mobile devices. Components of this package, psdread and pdocread, can acquire more data from Windows Mobile devices than many commercial forensic tools, but there are several issues that forensic practitioners need to understand before using these utilities on an evidentiary device.

First, acquiring data using these utilities creates files on the device, necessarily overwriting data. Specifically, an executable file named "itsutils.dll" is copied onto the device, and an error log"itsutils.log"is created on the device. Second, these tools acquire data through a hardware

...


Tricking the "script" Command

Keeping a record of all of the commands you type as well as their output is obviously useful during a forensic investigation. On Unix and Linux systems, we have the "script" command which does precisely this. You run "script " and the script command spawns a new shell: everything you type and all output you receive in return is automatically captured to the specified file.

From a forensic perspective, however, the classic problem is that script insists on writing its output to a file in the local file system. This is particularly a problem during the initial stages of incident response when you're operating on a live system trying to verify whether or not it has been compromised. If you capture your session with the script command, you may be trampling important data as your output file grows. Of course you could attach a portable storage device and write your output there, but that could be problematic on many levels.

This topic came up recently

... Continue reading Tricking the "script" Command


Dealing with PC Guardian's Encryption Plus Hard Drive (EPHD)

Dealing with EPHD, or PC Guardian's Encryption Plus is not too bad provided it has been setup correctly. By being setup correctly, I mean that the PC administrators have created an account that anyone can use to get past the hard drive encryption. This account and password needs to be treated just like the admin account. Only those people who need to know it, should have the userid and password.

On a side note: If your corporation has not implemented for your laptops and mobile devices, I have to ask why not? Hard drive encryption is much cheaper to implement then letting your corporate secrets and customer data out into the public.

Before We Begin

Before doing anything talk with your management and legal with regard to how they want you to proceed with imaging the encrypted devices. They may feel that this methodology is not right for them. The other aspect to be aware of is do you image the drive in its encrypted state and then use the

... Continue reading Dealing with PC Guardian's Encryption Plus Hard Drive (EPHD)