One of the tenets of digital forensics is to assure that the original media is not altered, and that the

methods used to create forensic quality copies of media and data assure that the integrity of the original is maintained. This is one of the most important steps. In situations where evidence must be gathered "live," we need to make sure that whatever process used has been verified beforehand to cause minimal changes to the overall system, and that other professionals given the same set of circumstances would have used the same methodology. Write blocking / prevention mechanisms should be used for imaging media, and thoroughly tested beforehand by the examiner to assure that the mechanism works without fail. There are many fine training programs available. I would recommend Computer Forensics Core Competencies (www.csisite.net/training/core.htm), Certified Computer Examiner (www.cce-bootcamp.com/), or NTI's 5 Day Computer Forensics Course (www.forensics-intl.com/forensic.html) for starters.

All three courses are solid courses which teach the foundation knowledge that every forensic practitioner should possess. Once you've completed one of these, I recommend that you then take vendor specific training from one of the major forensic software vendors such as AccessData (www.accessdata.com) or Guidance Software (www.guidancesoftware.com/). I am also a firm supporter of X-Ways Forensics (www.x-ways.net/training.html), and believe that every forensic examiner should be able to use the tool. At CSI, we use X-Ways Forensics to authenticate and verify the results of other tools.

http://www.csisite.net/tpicq.htm http://www.csisite.net/gettingstarted.htm http://www.csisite.net/forensics.htm http://www.cybersecurityforensicanalyst.com/

X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. It runs under Windows 2000/XP/2003/Vista*/2008*/7*, 32 Bit/64 Bit.

It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

http://www.youtube.com/watch?v=wkaBE1LwNWw Access Data's Forensic Toolkit (FTK). FTK v3

FTK now reads DMG archives and includes native viewers for binary and XML Property Lists (PLIST), SQLite databases, JSON files, B-trees, and Apple Mail. While it is lacking some of the features of the dedicated Mac forensic suites, these new capabilities allow FTK to hold its own and are particularly valuable for organizations that don't have the volume of cases to support a Mac-based forensic workstation.

REMOTE ACQUISITION

With geographically distributed networks being the norm, remote acquisition and preview is a force multiplier and can provide significant cost savings over traditional methods. There are several enterprise forensic products designed to meet this need, but the price can be prohibitive. In FTK v3, some of the functionality from the Access Data enterprise products has filtered down. Remote access works by connecting to an agent on the target system. A built-in option allows a temporary agent to be installed via the network, or a manual install can be performed via other means. Access Data advises that the agent can be installed on all Windows platforms, Windows XP and later. The agent provides the following capabilities:

Acquire image of physical or logical drive Acquire memory image Remote mounting of any of the above

FTK now includes a "Volatile" tab, which integrates memory analysis into the GUI. This initial effort isn't likely to replace dedicated tools like Mandiant Memoryze, but allowing memory analysis to take place together with other host-based evidence moves it further along into the mainstream and leverages some interesting parts of the forensic suite.

For you EnCase fans, it should be noted that Takahiro Haruyama has built a set of third-party Enscripts to perform some similar memory analysis tasks in that platform.