Domain: guidancesoftware.com
Stories and comments across the archive that link to guidancesoftware.com.
Comments · 25
-
Re: apple can pull some DCMA BS and sue them
Cellebrite has an American arm and is already the de facto forensics software for law enforcement in us and Canada.
Maybe for mobile but for PCs all I ever see is EnCase.
-
Re:Not Surprised
The fact is:
The FBI has a whole suite of tools for copying hard disks and other digital media in 1:1 format very quickly A couple of them are EnCase and FTK (both of which I found on This Wikipedia page.) Just at a glance, there are over a dozen tools the FBI could have used to make a 1:1 copy of the hard disk they were searching for.
If it were a criminal investigation I would assume they would have to take at least some hardware anyway for original evidence.
If it were a civil deal I can't imagine a single instance in which the need to grab that equipment was so damn urgent that they'd be obligated to screw over a business.
Take my commentary with a grain of salt though....I've never been raided by the FBI, and I'm sure they can get approval to do anything in the name of protecting MPAA or RIAA's interests, since so much of the work that justifies the FBI's existence comes directly from the pockets of industry in greasing the wheels of government. -
Autopsy is the leading free tool for this
I'm not a full time professional in data recovery but I am trained and certified in hard drive forensics.
I'm assuming you're talking about recovering data that is lost from corruption errors, not the drive itself dying.
There's a variety of free command line tools that are used for recovering data from corrupted hard drives that function at various levels (such as inodes), but really, unless you have training in them or need something really specific, the graphic (via web browser) frontend Autopsy is the way to go:
http://www.sleuthkit.org/autopsy/
If I'm looking for a specific type of file, sometimes I'll use Foremost:
http://foremost.sourceforge.net/
As far as commercial software, EnCase commonly used but pricey compared to Autopsy.
http://www.guidancesoftware.com/
The key thing with either the commercial or non-commercial options is to avoid damaging the file system you're working on. This means that if you're attempting to mount the drive from a working machine that you do so read-only (if you get really into this, there are hard drive -> USB mounts that block all writes) and if possible you clone the drive into an image and work on that rather than the original. The free version to do that is dd. Be sure to use the noerror option on it to make sure that a bad sector doesn't cause the process to fail.
Also, clone the entire drive, not just the partition in case there's data that you need outside of the partition. In other words, do this:
dd if=/dev/hda of=/forensics/image.dd conv=noerror,sync
Rather than this:
dd if=/dev/hda1 of=/forensics/image.dd conv=noerror,sync
-
EnCase
Although it is primarily used as a forensic analysis tool Guidance Software's EnCase is excellent for data recovery and there is extensive support for many filesystems and operating systems. It's darn expensive but if you are really looking to get data back on a large scale then the long-term investment may be worth it.
-
Re:how how how?
Probably like this.
-
Re:Where and how do they search
Pretty deeply. There's special software for automating the process. No great skill is required to press a "scan" button.
-
Field Standard for Law Enforcement
EnCase® Forensic
http://www.guidancesoftware.com/products/ef_index.asp
I'm surprised no one has mentioned it yet.
It clones your HD and provides an image that law enforcement can work from & admit as evidence. -
Re:A year ago...
Well, they can do a little more than that. Child porn collectors are busted every day using Encase.
-
I had my laptop taken at the border
I'm a u.s. citizen and had my laptop confiscated at the canadian border when re-entering the u.s. about three years ago. They also held me in a cell for a few hours until a person from ICE (immigration and customs enforcement) could arrive to interrogate me and my friends. After a few hours they let me through, turned around my canadian friends, and kept my laptop. They returned the laptop to me about four months later (with a burned copy of an EnCase client cd left in the cd rom drive).
I had nothing to hide and there was nothing I could imagine useful to them on that laptop. If I thought I had something to hide or a reason the government would think I was up to something that would warrant their taking my laptop (something more than my political activism), I would not have carried it across the border. In any event, this taught me me a few things: 1) always encrypt entire partitions, including one's root partition, not individual files as I had been doing, 2) don't carry one's private encryption key when crossing borders [or in any obvious way the rest of the time], 3) always keep plenty of encrypted backups in different physical locations so that you can be back up to speed as soon as possible if your laptop is taken, 4) avoid carrying electronics across the border at all if one can't afford to replace the hardware soon afterward.
Personally, it made me happy to know the government spent time and resources copying and possibly picking through my innocuous files while there were other people out there busy with bringing an end to a government that found such activity useful.
Funny side note: my canadian friends, after being turned around and having to cross back to the canadian side a few hours later, were asked by the canadian border person, "why were you there at u.s. customs so long?"
My friends told them, "they said our friend was a suspected terrorist."
The canadian border person *laughed*, said "those americans are crazy", and let them on their way without any further hassle.
-
Re:missing the point
Correct. They have to use standard, approved forensic tools and techniques at every step or the defence will question the integrity of their evidence, or it could even be ruled inadmissable.
One of the most widely used forensic suites is ENCASE. -
Re:Question
The computer crimes unit in the department that I work for (as an IT flunky) seized a C64 about 2 years ago in a kiddie porn case, along with a good number of 5 1/4" disks, but no working drive. They send a global email looking for anyone with old C64 hardware, and I donated my 1541 drive to the cause.
I'm not sure what the outcome was, but I know they still have the C64 up and running in their office.
It does present some interesting complications, from what (little) I know about the forensic examinations they do, they go to great pains not to alter the contents of the original media, using apps like EnCase to snapshot drives they're working with.
homer_ca How reliable are those 20 year old floppy disks?
I'm not sure, but I have an unopened (still shrinkwrapped) box of 10 5 1/4's in my office that I've been considering tossing on eBay just for fun. Buy 'em and find out! -
Re:Why go that far?
Any box that doesn't run Windows confuses most investigators.
You are far from correct. A lot of forensic investigators I have talked to actually use linux at times to do things such as image drives which is safer to do on linux than Windows and they are not straight Windows users.
Yep, all their tools are Windows-specific.
The reason they do use Windows tools most of the time is because the tried and true forensic applications are developed for Windows such as Forensic Toolkit Pro http://www.accessdata.com/products/ftk/ and EnCase http://www.guidancesoftware.com/products/ef_index. asp and since they work and have been well tested on Windows it makes little sense to increase the likelyhood of problems by porting these applications to other OS's. The other big reason most tools are Windows centric is obviously because Windows is the most widely used OS and people like to use what they already have and know.
Windows may not be the greatest OS, and I know people love to bash it, but that does not mean the Windows tools developed for forensic investigations are of low quality. I work as a software developer in this field so I have a decent view on what the situation is and your comment was way far off. -
Re:Blatantly WRONG
As someone pointed out EnCase Forensic is one of the standard tools used by investigators. Thier web page states:
EnCase Linen Utility: The Linen utility is a Linux version of the industry standard DOS-based EnCase acquisition tool. While it performs the same basic function as the DOS version, it overcomes a number of limitations, such as non-Windows operating systems, extremely large hard drives and speed of acquiring data. -
Re:Blatantly WRONG
You can't download a demo but you can send off for one.
http://www.guidancesoftware.com/products/index.asp
I guess this is so that that have a record of where you really live. -
Re:Blatantly WRONG
The defacto application used by law-enforcement agencies to do these things is EnCase, if anyone is interested. It's major bucks though, and don't expect to be able to download a demo version.
;-) -
when my comp. was confiscated, they left the cd...
for those curious what software some "law enforcement" agencies use, it seems that ICE uses Encase because they left the encase boot cd in the drive after they gave me back my laptop, 6 months after they stole it from me.
they had unjustly confiscated my laptop with no explanation after i landed in New York. (and my name is not Yusef Islam, but i do like his music.) it gives me comfort to know, however, that as they spent/spend their time and U.S. taxpayer money getting files off of my laptop and reading my email (or the part of it that wasn't encrypted), there are people around the world plotting to overthrow the U.S. government. -
Re:Who needs books!?
There are all kinds of ways to image a SATA drive. It's a non-issue. Worse comes to worst, we boot your system up in DOS and acquire it via crossover cable.
EnCase supports Reiser3. I don't know whether Reiser4 is so radically different from Reiser3 that we can't decode the filesystem currently, but I'm sure we could roll it out the door quickly if there was a large need. We've done it for our customers before.
We can't yet do XFS, but we could still recover quite a bit of data from unallocated. As others have noted, all you need to get an image is good old dd.
In many respects, savvy forensics investigators are far ahead of most criminals. Police forces band together to create high tech task forces, and they tend to have plenty of budget (e.g. they have their own clean rooms for manufacturing damaged hard drive parts). With all the ways that Windows and most applications leak information, it requires an extreme amount of discipline to avoid littering your hard drive with evidentiary artifacts.
It sounds like you do need a book.
cheers,
Jon -
Live "Forensics"
"Forensics" on a live system is a misnomer. For incident response, collecting live data on open ports, running processes, logged on users, and mounted devices is useful and sometimes necessary. Investigators should be sure to check -- gingerly -- whether any encrypted volumes are mounted.
Generally, however, if there's any chance that the investigation could wind up in court, it's best to pull the plug (literally) and conduct a static analysis of the hard drive. You lose access to running processes and some live registry keys, but otherwise just about everything exists on the hard drive and is accessible through standard forensic tools.
As a forensic programmer/consultant, one of the biggest problems I run into is when J. Random Sysadmin is tasked with conducting an initial investigation and ends up rampaging through the hard drive like a bull in a china shop. If you ever find yourself in this situation, stop and get the facts. There's no better way for a sysadmin to wind up in the doghouse than to ruin a legal investigation.
Jon
(Disclaimer: I work at Guidance Software, makers of EnCase, which is the all-in-one tool that can do all of the things mentioned in the review. But not for free...) -
Re:Who needs books!?
The tool that you're probably referring to is EnCase by Guidance Software.
-
Re:Who needs books!?
The tool that you're probably referring to is EnCase by Guidance Software.
-
Re:The implication is scary...
Keep in mind that the people investigating these computer crimes are not skilled experts with electron microscopes. They are just cops with special training and a program named Encase. Unless you are a senator or somebody the administration really wants to convict they won't be putting your HD under an electron microscope. This is the police department not the CIA.
-
Re:Secure File Deletion
Wipe is a nice program, but it is simply overkill. It has been shown in studies that typically 3 passes of a data wiping program should make your data non-recoverable by standard means (using popular forensics tools such as EnCase, Maresware, NTI's batch of programs, or disk editors on whatever platform you are interested in). As to how much the U.S. government investigators are able to retrieve...well that falls into your urban legends category I suppose. For the most part, DoJ guildelines suggest wiping your data 7 times as part of the norm. This is because of the non precise manner in which hard drive read/write heads pass over the disk itself (more of a wobble rather than a perfect circular motion). I just recently saw a whitepaper on Encase's site that covered users of WinXP using EFS (encrypted filesystem) secure deletion (which just does 3 passes) that makes recovery of the files deleted not possible this is the whitepaper. Just as the above reference article concludes, it should be kept in mind that there is so many places to look on Windows and Unix machines other than what files were deleted. Perhaps pictures of your latest porn stash or the Word document covering your NDA violations are gone, but registry settings, file slack (as was mentioned in the parent article briefly), pagefiles, memory dumps, and many other locations that track your activities on a given machine can be used as well. Wow, I did not mean to get so long winded...I just really get into computer forensics. My personal advice for decent file security and deletion is encryption + multi-pass deletion. There are several encrypted filesystems out there for both Windows and *nix, and a few options that are viable with both (BestCrypt File system containers and also BCWipe for deletion is a good example). I don't see the need to start advertising products, so check out the options for OS level and OS independent solutions.
-
Re:If the data don't fit, you must...
The chain of evidence? (The "chain of evidence" is a legal requirement that prosecutors be able to identify a particular person responsible for a piece of evidence from the time it is seized until it is presented in court.) I gave the perp a receipt for his computer. There's nothing that requires me to provide the perp with a listing of all the files--and no court in the world would let the perp do anything to that computer (like listing his files) when I seize it. I've provided a receipt for his computer--but who's to say what's on the hard drive?
IANAL but OTOH I have some professional familiarity with computer forensics, in particular, the obtaining of data from seized computers by the Police.
Here's what actually happens:
- Cops/Wallopers/The Bill/MIB/FBI/Plods (plural) take the box or boxes, tape em or seal em.
- Plods deliver the sealed boxes or bags to the forensics lab
- Forensics technicians, logging every step and usually with a video record, dismantle the machine, mobile phone, faxmachine or whatever and then plug the storage media into some special hardware that cannot physically write to that media (no electrical path). They then make a copy of what's on the drive/ramcard/whatever. The standard way of doing this is with a tool called EnCase which includes MD5 checksums. After that, the original media is not touched and is put away in a secure area. Only the copies are examined. And a copy of the files (in fact, the whole bitstream on the media) is provided to the suspect on request, and it can be demonstrated on demand that any copy has the same MD5 checksum as the original.
Alternatively, you'd need a conspiracy. But you'd still need to know a bit more than just an MSCE course to do it without leaving traces, or need the techos in on it.
This basic methodology has stood up to some courtoom challenges.
Of course this is just the basic one-size-fits-all method used on luser kiddieporners etc. For military or "homeland security" vs some people with a geek index > 0.1 you need something more powerful, able to read dead magnetic domains etc. But that's another story
-
Digital Evidence Software
In reality, the biggest difference between grep and so-called "forensics" software is the emphasis on examining the data without modifying it and maintaining the chain of custody and audit trail. In fact, many experienced computer investigators do their jobs with little more than DD, grep, and various other Unix utilities. Most of the digital forensics software out there simply attempts to make this funcionality more accessable to your less tech saavy investigator. (The problems caused by inexperienced/unqualified investigators performing this type of analysis are beyond the scope of this response.)
I am currently the designer and project lead for a cross-platform open source (GPL) digital evidence processing suite. It is intended to bring together the various functionalities required to perform this type of work, and (ideally) operate on whatever platform the investigator desires. Our primary development platform is RedHat 7.1.
There are currently software packages out there that attempt to do this, including EnCase and The Forensic Toolkit in the commercial arena and The Coroner's Toolkit in the open source arena, however they lack the broad filesystem support and/or true ease of use to make them usable by everyone. The other barrier is price as EnCase, for example, costs thousands of dollars per copy.
We're well funded, and have already done a significant amount of work. We have some of our core components functional and plan on starting beta testing and releasing our first code drop later this year. If this field interests you and you'd like more information, or you work in the investigative field and have thoughts on what you'd like to see in such a tool, I'd love to hear from you. -
Re:Why do they always do this?
Siezing evidence is standard procedure in a criminal investigation. The PC is generally locked down, then hooked up to another PC running investigative software. Sometimes a sector copy of the HD is taken and the evidence is collected off of that.
The collected evidence is used by the investigators and the DA to build their case, and generally presented in court and explained to the jury by an expert witness.