You've taken the plunge. You want to work in digital forensics. Congratulations. You've told your boss of this interest, managed to get some forensics training (SANS FOR508 of course! ) and hyped up the type of things you would be able to accomplish. You feel good about yourself.
Until now.
Two months after your course.
And you haven't had time to practice anything, let alone review the material.
The situation: You were called in and asked to use all of these new skills to help solve a problem. And the pressure is on, as they want some answers by the end of the day. Now you are wondering why did I tell them I wanted to do this again?
Don't panic.
You can do this. We've all been there. All you need is a little help from your friends.
The goal of this series is to help guide you through a case, and provide suggestions on how you would go about attacking the problems you will face. So let's get down to business.
Part 1: Acquiring images from local systems
Probably one of the easiest tasks is acquiring the images from computers you can walk up to and physically touch. And the easiest way I have found to do this is with the Helix 3 PRO program that comes with the Forensics 508 classes now. Pop the DVD into the computer in question, attach a USB drive and launch Helix.
A few small tips on settings that I do with Helix:
- Make sure you capture the volatile information first. You don't want to loose this information, and capturing the volatile information after taking the disk image, well, lets just say nowhere near as useful.
- Ensure the output type is set to RAW.
- I select the entire disk as the source, not just the partitions. This gives me everything to work with, and helps ensure I don't miss anything.
- I set it to a single file for segmentation from the default 2GB. I do this since I only want to work with one image for each system.
- Make sure you choose a hash type you want to calculate. This is just best practice and helps to show that the image isn't tampered with.
- Set the destination file name as something that has meaning and not just "disk_image.img". When you have 28 images with the same file name, it gets confusing. Use something that is easy to reference and that will work for you. I tend to use the hostname of the system I am imaging and the date, as it makes it easy for me to find what I am looking for later and my work is all within one organization.
Helix will allow you to image the hard disk, create the hashes, and the chain of custody forms for you all with the click of a button. The latter two being little things that you may forget to do right away or at all.
One final thing you need to remember at all times, is to take notes of what you are doing, where you are doing it and when. This will save you time later when, for example, you need to remember if you typed a command or not. Even those fat finger mistakes. Make sure you note it. It makes it so much easier when you need to dig deep later.
Next up, Part 2: Imaging those remote systems.
Jonathan works as a Senior Technical Specialist in IT Security for the Canadian federal government. He is a SANS mentor, a GIAC question writer and he holds numerous certifications including GCFA and GWAN. When not working, his spare time is filled by his 3 young daughters.
