Page 662 - StudyBook.pdf
P. 662
646 Chapter 11 • Operational and Organizational Security: Incident Response
small-capacity media.To avoid legal concerns about possible alteration, no
compression or translation is used in creating the image.
■ Encase Unlike SafeBack, which is a character-based program, Encase has
a friendly graphical interface that makes it easier for forensics technicians
to use. It provides for previewing evidence, copying targeted drives (cre-
ating a bitstream image), and searching and analyzing data. Documents,
zipped files, and e-mail attachments can be automatically searched and
analyzed, and registry and graphics viewers are included.The software sup-
ports multiple platforms and file systems.The software calls the bitstream
drive image an evidence file and mounts it as a virtual drive (a read-only
file) that can be searched and examined using graphical user interface
(GUI) tools.Timestamps and other data remain unchanged during the
examination.The “preview” mode allows the investigator to use a null
modem cable or Ethernet connection to view data on the subject machine
without changing anything; the vendor says it is impossible to make any
alterations to the evidence during this process.
■ ProDiscover This Windows-based application, designed by the
Technology Pathways forensics team, creates bitstream copies saved as
compressed image files on the forensics workstation. Its features include
the ability to recover deleted files from slack space, analyze alternate datas-
treams for hidden data, analyze images created with the UNIX dd utility,
and generate reports.The vendor hosts an e-mail discussion list for
exchange of tips and techniques and peer support for users of computer
forensics products (www.techpathways.com).
If data recovery is needed, the OS being used and/or the media being used to
store the evidence must be identified. Once this is determined, it is possible to
decide on the methodology and tools needed to recover the data.
Processing a crime scene also requires preventing any data from being damaged
or lost before it can be examined and recorded.This involves taking the precautions
mentioned above regarding the preservation of evidence. Photographs should be
taken of what is on the screen of the computer, so that any information can be ana-
lyzed at a later time. Photographs should also be taken of any other evidence and
the scene itself.This provides a visual record that may also be presented as evidence.
Photographs should also be taken of how the equipment is set up.When the
equipment has been transported and before the examination begins, the equipment
must be set up exactly as it was at the crime scene.After the case is completed,
www.syngress.com
