January 2008 — Features
Print this article | Email this articleClick here to receive your FREE subscription to T.H.E. Journal
CSI: Hard Drive
Digging Deep
COMPUTER FORENSICS EXPERTS SAY THESE FOUR SOFTWARE TOOLS CAN ROOT OUT WRONGDOING.
Helix: A bootable live CD that has been modified very carefully to not touch the host computer in any way. However, the software soaks up a lot of RAM (a minimum of 128 MB on a Pentium-class computer is recommended).
EnCase: Version 2 allows organizations to maintain a strong chain of custody while using the software to efficiently search, collect, and preserve only relevant data, and process the information for attorney review. According to its website, law firms rank EnCase among the top five software tools of its kind.
ProDiscover: Finds data hidden in the most remote places on a hard drive. Designed to the National Institute of Standards and Technology Disk Imaging Tool Specification 3.1.6, the program also gives you the capability to compare your files against information from the National Drug Intelligence Center's HashKeeper database of authenticated, or "known to be good," files.
Forensic Toolkit: An integrated solution that allows users to create an image, conduct an investigation, decrypt files, crack passwords, and build a report. Lets you search, display, and report on data
For the more intense searches, law enforcement and government agencies use programs such as ProDiscover, EnCase, and Forensic Toolkit (FTK). ProDiscover offers a free version that Williams suggests to school IT administrators who attend his classes is a good place to start.
But don't assume all sophisticated software packages come with an astronomical price tag. AccessData's FTK product right now goes for $2,000 for a license and functionality that includes password cracking, imaging, analysis, and support. And that's open to negotiation. "We have worked some deals with entire districts," Karney says, "but typically one person at one school has a copy of it with maintenance for $500 a year."
Sticking to Sound Procedures
An IT professional needs a full week of 8-to-5 classwork to conquer the basics of computer forensics; forensic certifications require additional weeks of study. Training also needs to be ongoing, as the larger vendors release updates to their software at least once a quarter. "Things change fast, so we have to constantly add new features, functionality, and product lines," Karney says. For instance, Microsoft Vista's introduction required that he add multiple layers and changes to FTK.
However, training isn't an end-all. "Just because you take a 40-hour class does not mean that you are qualified to perform a really in-depth forensic examination," says Phil Harrold, a state law enforcement officer in Marathon, FL, who sits on the board of the International Society of Forensic Computer Examiners. "A 40-hour class will train you in basic evidence handling and preservation, but you need practice to become adept at it."
