Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Best forensics software 2

Status
Not open for further replies.
ArizonaGeek

ArizonaGeek

IS-IT--Management
Aug 21, 2006
768
0
0
US
I am looking for some forensics software and was curious what would be some good names others have used. Looking for pluses and minuses of the software. Assume cost is not a factor.

My father in law is the sheriff for a small county and I may have an opportunity to do some work for them on a contract basis so I need something that would stand up in court.

Thanks for any info...
Rob
 
Sort by date Sort by votes
Encase has a proven track record in court cases. i suggest you also take their course.

there are other forensics programs available to law enforcement (some free) that are quite good.

however, it is not just the software, you need the knowledge-base to go along with it.
 
Upvote 0 Downvote
It depends on where you are, but I know that in some states you are required to be a registered Private Investigator to do forensics work in legal cases. I recall that Arizona was pretty loose in their requirements, but I would definitely find out before I did any work and had the case thrown out by a judge because of a minor technicality like a certification.

I have to second Encase if you are trying to do forensics on a computer. They have an excellent reputation and you should never have to justify its use in a case.

You may also want to look at LogiCube if you only need to image the hard disk.

If your budget is small, there are free utilities like Penguin Sleuth and The Coroner's Toolkit (TCT) that are generally accepted (although you may have to justify or provide validation information on a given tool that you used to process the data).

A write-blocker is a requirement for legal work. Hardware is always preferable over software. So you need to know what kind(s) of hard disks you may be encountering (IDE, SATA, SCSI, etc).

And you will need plenty of external hard disks to work with because the image of the computer is still the same size as the original.

And be VERY careful not to break the chain of custody.


pansophic
 
Upvote 0 Downvote
Thanks for the advice. I have quite a bit of experience doing investigations, network and criminal dealing with search warrants and court orders for chat, email and FTP sites.

A few years ago I worked for a large ISP on the east coast but we used proprietary tools and at that 99% of it was Unix. For the last two years I've been working in a Windows shop and had no clue what to use in a Windows environment. My father in law and I are working out what I would need to make everything legal, I just figured I'd see what was out there in case I do go ahead with this. I am not even sure I want to, when I worked at the ISP it was 4 years of seeing things I care to never see again.

Thanks again for the info!
Rob
 
Upvote 0 Downvote
I was young and naive enough once to believe that it would be "cool" to see what was really going on. It didn't take long to figure out that there are a lot of things in this world that are better left unknown.

Good luck with it, though. I believe that it can be a profitable venture if it is structured correctly. You may get some better (more relevant) input from an organization like the High Tech Crime Investigation Association (HTCIA).



pansophic
 
Upvote 0 Downvote
Awesome information pansophic! I myself have also seen things that are sickening. And at that point, I was only looking at the proxy logs (had to visually see the images/video's in order to confirm, although by looking at the name of the file/video, didn't really want to). Nonetheless, I look at as "hey, I didn't have to pay to look at it" (although my wallet would never open for most of the stuff).
 
Upvote 0 Downvote
Encase is a good tool.
I would go for something paid over something free in a situation like this though.


The Ultimate IT security Forum
 
Upvote 0 Downvote
Keep in mind that when doing forensics, never rely on just one tool. Yes, Encase is good, very good. A lot of LE use it. But you'll want other tools in your toolkit as well. I'd recommend taking a couple of forensic courses by SANS or someone else to start off with.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
124
AvivBes
AvivBes
lhiraman
  • Locked
  • Question
Polycom m100 software
Replies
4
Views
32
lhiraman
lhiraman
DigitelD
  • Locked
  • Question
Computer forensics question
Replies
4
Views
11
DigitelD
DigitelD
Newtt
  • Locked
  • Question
Installing 3rd party software via McAfee EPO server
Replies
0
Views
28
Newtt
Newtt
Dom606
  • Locked
  • Question
IIS Intrusion detection software / tools
Replies
0
Views
17
Dom606
Dom606

Part and Inventory Search

Sponsor

Back
Top