Site Navigation

News Blurbs

Forensic Files

Forensic Whitepapers

Network Security

Scripts

Knowledge Base

About Me

About Anthrax

Photo Album

Contact Me

Nickname

Password




Create New Account

HomeForensic Whitepapers

My approach to computer forensics is that of a multi-phased process, including: acquisition, examination, utilization, report, and review.

To be highly skilled in the computer forensics field requires intricate knowledge of each. Individuals that approach or that are involved in the computer forensics field atypically come from either a police background, a legal background, or a computer background. What is interesting about this is that, in my experience, persons from each one of these backgrounds approaches each process with a significantly different mindset. For example, those with a police or legal background will first think about securing the perimeter and proper chain of custody for the acquisition process. Individuals from a computer background will most likely be initially focused on how to obtain a copy of the media, or disk image, to analyze later. To be highly successful in the computer forensics field, you need to thoroughly understand all the technicalities and legalities of your process. Adhering to sound and proven practices is critical to supporting your work in a legal setting. My papers touch upon many of these subjects, and a writing is currently underway to tie all of this together into the working title, Fundamentals of Computer Forensics.

Also note that I have not made mention of the word procedure. Each situation you are presented with will be unique in its own right, and require a flexible approach. Deviating from a "documented procedure" can possibly open you up to certain attacks from an opposing side in court. As such, any papers here should just serve as knowledge to adding to your own processes. If you find any errors or disagreement, please, I encourage you to let me know so that I may continue to learn as well.

Acquisition - note some papers overlap into Examination process

EMC Storage Area Network Forensics (SAN) - A paper covering acqusition techniques of EMC (and relative to other) SAN technologies and equipment.

Beginners Guide to Linux Forensics - A very introductory whitepaper on walking someone through a typical forensic analysis session on a trusted Linux system.

Introduction to Linux Forensics - Introductory primer on understanding tools and tricks to performing a forensic analysis under Linux.

Linux Forensics Presentation - PowerPoint Presentation that goes through a basic forensic analysis of a floppy disk from within Linux.

Examination

Introduction to The Sleuth Kit (TSK) - An overview of using TSK, a UNIX package of command line file system and media management forensic tools.

Utilization

Report

Review

Miscellaneous

Fooling a ThinkPad Biometric Scanner - Covers how I logged in as my boss on his T42 laptop, utilizing the ThinkPad fingerprint scanner.