Real Life Imaging
Disk Imaging is one of those details of our jobs we find it all too east to take for granted. Imaging in the lab takes on a whole feeling of a robot. Only the necessity of taking detailed notes in the case notebook keeps me from making those mistakes of familiarity.
But in the field it can be really different as I found out AGAIN this week. Seemed a simple job, I had been contracted to go to a small town about 45 miles away, and image 9 drives and then perform analysis on them back in the shop.
After meeting with the attorney, going over the discoveries and interrogatories, we thought we had a good idea of what was involved. The age of the computers in the answers and the fact they said nothing had been repaired or upgraded since 2003 gave us an indication of drives in the 40-80gb range. So I headed off with my field acquisition kit and a box full of 80gb HD's. As always I threw in a couple of 160's "just in case".
Oh woe is me. The defendants didn't quite disclose the whole truth, (maybe not any truth), and I found 12 computers with fairly new drives in the 100-160gb range. Not only that but a couple of the cases were locked. and of course, no one knew where the keys were.
To make things even better, the first day, even though we had a order from a Federal Judge to enter and acquire evidence, the employees on site called the local cops and had us removed from the property. The attorney had to contact the Judge and get us back in the next day under court auspices.
IN short, there is no such thing as a routine day in on site imaging. In the next few days I will discuss how we overcame the lack of information and how we achieved the imaging goal.
Since this blog is going to be aimed at the practical side of forensics I'm going to try and cover real life scenarios and situations we face in the real world everyday.
posted by Bill Ethridge @ 6:55 AM
3 comments
3 Comments:
Ah, the war stories! Maybe we should do something like what NoVASec does, just to meet and swap stories!
Just remember...the customer is ALWAYS right...except when they're not.
Speaking of which...you know what I'd love to do? I'd love to teach a course in computer forensics, or a series of courses, that include things like planning for engagements.
I learned my lesson a long time ago (although I keep getting reminded all the time)...I was stationed at DLI while waiting to process out of the military, and I was assisting a SSgt who'd taken over a room as his office. There was a round credenza with 6 Gateway systems, hooked up via 10Base2 connections...they were part of then-Commandant Gen Krulak's effort to get Marines to be warfighters by letting them play "Marine Doom" during lunch, rather than PT. Anyway, the SSgt had disassembled the crendenza and then reassembled it so that each half was flush against opposing walls. He and is crew of merry LCpls and PFCs had put everything back together, but the IPX network had no joy. He kept telling me over and over that he'd put it back together EXACTLY the way it was before. I found that the Doom/Quake server had been unplugged, and the T-connector and terminator removed...the coax was run directly into the NIC. I set things right and like magic things came back up again.
The lesson...never assume that the client knows what they're talking about. Many times, he or she will tell you something, just so that they don't look like they know nothing. That's how one machine with a 10GB hard drive becomes 30 systems, with combinations of RAID configurations, SCSI, EIDE, etc.
Just wanted to say hey, you have someone "watching" via a feed! :) I got here from Harlan's post (http://windowsir.blogspot.com/2006/11/forensics-blogspodcasts.html) comments. I'm not really a forensics professional, and am still one of those jacks-of-all-trades IT guys, but ya never know, I might find myself in a position to focus fully into forensics someday! Until then, I'll enjoy reading your blog, and I'll try to contribute as I can in my own newbish way. :)
Post a Comment
<< Home