-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is always a concern about "homebrew" systems when it comes time to testify about your "platform" for analysis. The defense can make big whoopee out of your "homebrew" if it contains hardware that has not been tested and verified to comply with evidenciary standards, something most of the pre-builts claim, which in actuality is just a test by a security professional. Once you reach an established level, though, you are unlikely to be challenged in a way you couldn't overcome with a reasoned response. As far as software and the like goes, keep in mind that there are no original thoughts in this area. Everyone is doing the same thing, usually in the same way, just slightly different with a different brand name on it. The technology is not as important as the administrator using it, so if you become a seasoned professional who uses these packages as tools, rather than a barely educated physical security specialist who relies on the tools for your analysis, you will be fine with just about any tool out there, even one not really designed for forensic analysis. You will be able to evaluate the evidence and it's storage format, formulate a plan to copy it without changing it in any way, and recover it from the copy in a manner that is forensically sound. Keep at it, but don't worry about the small stuff right now, just throw together what you can afford, learn to do it the hard way, then go back and automate your redundant tasks with the precompiled stuff later, once you've established yourself as an unimpeachable forensic technician. Good luck!! jeff - -----Original Message----- From: Elizabeth Genco [mailto:elizabeth.gencoat_private] Sent: Monday, July 16, 2001 4:03 PM To: 'forensicsat_private' Subject: Forensics workstations Hi again, everybody -- First of all, let me just say a big thank you to the myriad of folks who responded to my last message about making the transition to computer forensics. I was floored by the number of people who responded (both on and off the list), and was even more floored by the quality of said responses. I got some great advice from you all. Thanks so much! With that kind of encouragement, I decided to give this list another shot. I've got a little time and spare equipment on my hands, so as an exercise for myself, I'd like to build a workstation for forensic examination. Now, this is purely an educational exercise, and as such, I'm not looking to create the most professional machine ever. I'm just trying to learn something, since I've got spare resources lying around (workstations, hard disks, etc). The question I have for you all is: if you were building a forensics workstation from the ground up, what would you put on it? What kinds of software and hardware would you include? What do you consider to be essential, and what is simply "nice to have"? Realize that I don't have the money to go out and purchase professional software, like EnCase. So, while I encourage you to mention what your "money is no object" dream server would include, please also try to mention useful software that is free (like Coroner's Toolkit) and/or available on the cheap (like Norton Utilities). Again, this isn't for professional use -- I'm just trying to get my hands dirty and play around a bit. I'd also like to hear what you have to say about the whole issue of building your own server versus purchasing special hardware (like the workstations made by DIBS). I've been reading the latest Foundstone book ("Incident Response"), and in it they touch on this a bit. Their opinion seems to be that constructing your own hardware is a bad thing. I can understand the reasoning behind this view, but I'd like to hear other opinions. Thanks in advance for any input on these questions. Elizabeth - ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBO1OEs0zIW3/a/P0NEQIi6gCcCpc++TsvZvrZOV1Nw6bWm/CQys0AoIK5 1i43DdZxUksVSFUXphKf6Kbb =jodS -----END PGP SIGNATURE----- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:12:16 PDT