Time Sensitive Forensic Question

Networking/Security Forums -> Computer Forensics and Incident Response

Author: wraheem PostPosted: Mon Apr 05, 2010 10:21 pm    Post subject: Time Sensitive Forensic Question
    ----
Hello All!

I have someone who would like for me to look at her home computer to try to determine if someone has been using the computer for cheating, porn, etc...

My problem is this; I would like to image the drive then perform forensics on the image. However, I will only have a two hour window to look at it. She is particularly interested if there are photos and the like that may have been deleted.

I am wondering will the dd image of the drive be able to be searched for deleted files the same way the actual drive would. I guess in a nutshell should I use the time to perform the drive image or search for deleted files, etc?

Thank you for your help!

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Tue Apr 06, 2010 12:15 am    Post subject:
    ----
An image created using dd is a mirror image of the drive being imaged. It is used by forensic investigators for making forensically sound images of data.

http://www.forensicswiki.org/wiki/Dd

Author: DHay13Location: Pittsburgh, PA PostPosted: Tue Apr 06, 2010 4:43 am    Post subject:
    ----
Much of this depends on the forensic software you will be using. A DD image will open using most of these. If not then opening the image in FTK Imager will enable you to convert the image to an E01.

I think what you are asking pertains more to the time constraints. Someone else will have to answer this but I do know that Helix will produce all images on a drive in a relatively fast manner but I don't know if it will 'carve' deleted files (I don't use Helix). FTK will but I don't think it's possible given the time span that you have indicated. I'm sure there are other software packages that will carve these files on a live system but not too sure about how long they will take.

How large is the drive? Without a high priced forensic duplicator I think imaging in a 2 hour window might be tough. Not impossible, but without knowing the HD capacity, I can't say. The last image I created in the field was using my HP laptop with an AMD Turion dual core CPU with 2GB of RAM. Using USB cables to connect my write-blocker and my external drive took 36 hours to image a 320 GB drive. Using FireWire or eSata will dramatically cut down on this time, as will using the Linux commands (I was using FTK Imager). Time wasn't an issue on this one and it was more of an experiment to see how long it would take.

Author: wraheem PostPosted: Tue Apr 06, 2010 7:58 pm    Post subject:
    ----
Thank you for your responses!!! I believe its a laptop around ~80GB...the last time I created an dd image with the Helix boot disk it took close to the two hour window that I have; that's why I was concerned more on which approach I should take.

Obviously I'm still new to all of this but it some of the most interesting computer work I have done in the past 13 years!!!

Thanks again!!!

Author: DHay13Location: Pittsburgh, PA PostPosted: Tue Apr 06, 2010 9:14 pm    Post subject:
    ----
Another thing to add, if you are not properly trained in forensically sound techniques then I would advise against it. Leave it to a professional. If this case were to go to court then you might do more harm than good.

Author: srohrbachLocation: San Diego PostPosted: Wed Nov 17, 2010 9:34 pm    Post subject:
    ----
DHay13 wrote:
Another thing to add, if you are not properly trained in forensically sound techniques then I would advise against it. Leave it to a professional. If this case were to go to court then you might do more harm than good.


I would second this. Do not run unprepared into forensics. What happens if you find child porn and have not handled this evidence correctly? Are you trained in how to contact local authorities in such a manner as to make the evidence useful? Do you know the laws governing the proper transfer of such files to an image? Are you authorized to transfer those files and hold them for forensic research as evidence? Or, if you take possession of the files, are you then guilty of owning illegal files yourself? If you cannot completely and accurately answer these questions, talk with the owner of the computer about the possibility of discussing this situation with a forensics professional who may in turn refer you to the law. Don't play around with this.



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group