• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Time Sensitive Forensic Question

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
wraheem
Just Arrived
Just Arrived


Joined: 05 Apr 2010
Posts: 0


Offline

PostPosted: Mon Apr 05, 2010 10:21 pm    Post subject: Time Sensitive Forensic Question Reply with quote

Hello All!

I have someone who would like for me to look at her home computer to try to determine if someone has been using the computer for cheating, porn, etc...

My problem is this; I would like to image the drive then perform forensics on the image. However, I will only have a two hour window to look at it. She is particularly interested if there are photos and the like that may have been deleted.

I am wondering will the dd image of the drive be able to be searched for deleted files the same way the actual drive would. I guess in a nutshell should I use the time to perform the drive image or search for deleted files, etc?

Thank you for your help!
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Tue Apr 06, 2010 12:15 am    Post subject: Reply with quote

An image created using dd is a mirror image of the drive being imaged. It is used by forensic investigators for making forensically sound images of data.

http://www.forensicswiki.org/wiki/Dd
Back to top
View user's profile Send private message Visit poster's website
DHay13
Just Arrived
Just Arrived


Joined: 21 Dec 2009
Posts: 0
Location: Pittsburgh, PA

Offline

PostPosted: Tue Apr 06, 2010 4:43 am    Post subject: Reply with quote

Much of this depends on the forensic software you will be using. A DD image will open using most of these. If not then opening the image in FTK Imager will enable you to convert the image to an E01.

I think what you are asking pertains more to the time constraints. Someone else will have to answer this but I do know that Helix will produce all images on a drive in a relatively fast manner but I don't know if it will 'carve' deleted files (I don't use Helix). FTK will but I don't think it's possible given the time span that you have indicated. I'm sure there are other software packages that will carve these files on a live system but not too sure about how long they will take.

How large is the drive? Without a high priced forensic duplicator I think imaging in a 2 hour window might be tough. Not impossible, but without knowing the HD capacity, I can't say. The last image I created in the field was using my HP laptop with an AMD Turion dual core CPU with 2GB of RAM. Using USB cables to connect my write-blocker and my external drive took 36 hours to image a 320 GB drive. Using FireWire or eSata will dramatically cut down on this time, as will using the Linux commands (I was using FTK Imager). Time wasn't an issue on this one and it was more of an experiment to see how long it would take.
Back to top
View user's profile Send private message Visit poster's website
wraheem
Just Arrived
Just Arrived


Joined: 05 Apr 2010
Posts: 0


Offline

PostPosted: Tue Apr 06, 2010 7:58 pm    Post subject: Reply with quote

Thank you for your responses!!! I believe its a laptop around ~80GB...the last time I created an dd image with the Helix boot disk it took close to the two hour window that I have; that's why I was concerned more on which approach I should take.

Obviously I'm still new to all of this but it some of the most interesting computer work I have done in the past 13 years!!!

Thanks again!!!
Back to top
View user's profile Send private message
DHay13
Just Arrived
Just Arrived


Joined: 21 Dec 2009
Posts: 0
Location: Pittsburgh, PA

Offline

PostPosted: Tue Apr 06, 2010 9:14 pm    Post subject: Reply with quote

Another thing to add, if you are not properly trained in forensically sound techniques then I would advise against it. Leave it to a professional. If this case were to go to court then you might do more harm than good.
Back to top
View user's profile Send private message Visit poster's website
srohrbach
Just Arrived
Just Arrived


Joined: 03 Nov 2010
Posts: 0
Location: San Diego

Offline

PostPosted: Wed Nov 17, 2010 9:34 pm    Post subject: Reply with quote

DHay13 wrote:
Another thing to add, if you are not properly trained in forensically sound techniques then I would advise against it. Leave it to a professional. If this case were to go to court then you might do more harm than good.


I would second this. Do not run unprepared into forensics. What happens if you find child porn and have not handled this evidence correctly? Are you trained in how to contact local authorities in such a manner as to make the evidence useful? Do you know the laws governing the proper transfer of such files to an image? Are you authorized to transfer those files and hold them for forensic research as evidence? Or, if you take possession of the files, are you then guilty of owning illegal files yourself? If you cannot completely and accurately answer these questions, talk with the owner of the computer about the possibility of discussing this situation with a forensics professional who may in turn refer you to the law. Don't play around with this.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register