[FoRK] electronic forensics
Kevin Elliott <
K-Elliott at wiu.edu
> on >
Sat Dec 16 20:51:20 PST 2006
I actually spent some time interviewing with a company that's pretty
active in this space (at least on the OSX side). It's not as
advanced as you might think. My understanding is that the basic
procedure is to duplicate the drive and then work off the copy. I
suspect that the legal side of things is mostly protected by always
being able to start over again from the original drive and
replicating the results.
Software wise it was pretty standard data recovery tools with the
addition of lots of logging. Not really a lot of extra
"intelligence" in the software to find things the investigator might
overlook, etc. Very much a tool for an expert rather than an
automated do all the work for you problem.
FYI- I think if somebody is willing to point an electron microscope
at your platters your pretty well screwed. If they're willing to
spend that kind of money, they're probably willing to grab you and
break your arms to get what they want ;). Certainly it's well above
what the average police department is willing/able to pay for.
At 1:11 -0500 on 12/16/06, Reese wrote:
>I'm curious what is entailed in a forensic examination of a hard drive.
>I've heard that people with electron microscopes can pull things off of
>a platter that have been overwritten several times but gee, how many
>of these garden variety places* advertising their forensics services
>can afford one of those and all it entails?
>So they are presumably using some software solution, perhaps even hex
>editing programs. What software though? Do these software solutions
>have names? Browser history records, cookies, cache files, all the
>usual places the OS will let you store files at. What else is there
>to know about doing a forensic exam on a hard drive? The odd program
>that will let the user save a file in an unusual place? Which programs
>do that? And which programs check for existence of things like that?
>Presumably, forensics examinations differ from simply data recover in
>that there are chain of evidence protocols and added documentation
>requirements on what is found, as well. Is there more?
>*- Google it, they are legion and they clutter search results like the
>many pieces of straw in a haystack concealing a few grains of rice.
>FoRK mailing list
Arguing with an engineer is like wrestling with a pig in mud.
After a while, you realize the pig is enjoying it.
Kevin Elliott <mailto:kelliott at mac.com>
AIM/iChatAV: kelliott at mac.com (video chat available)
More information about the FoRK