 Okay, first of all, let me let me just let everybody know that I am actually excuse me Hey, sound guy turn it up, dude Dude, I yelled at Jeopardy two nights in a row and got trashed two nights in a row. You're lucky. I'm even upright No, because we got ripped off Okay, first of all, let me let me let you know that I am not RS. He was requested by his employer the man Not to actually give this talk so since I'm a friend of his and I've done some Forensic stuff in the past. I'm more of a network monkey than a file system monkey and So he asked me if I'd be willing to give his talk so that you guys didn't get screwed out of one talk I had no idea he was quite this popular I thought it'd be about three of you and my friends who wanted to go drink afterwards, but so here goes so Basically the talk that that Rob was wanting to give is kind of an intro to file system One actually won't be in a analysis discussion of analysis. It's It's okay. Can you roll them up? Yeah, can the sound guys just Boosted a little by sound guy. We mean you can you slide them up slide up slap the pots. No, no All right, maybe I walk over there and do it. Is that better can everybody here at this point still know How about now? Can you hear me now? Can you hear me now? Hey, it's a Verizon commercial. Okay Basically the the talk that that Rob has asked me to present today is is essentially a Very basic introduction into how to properly Acquire data from a potentially compromised system or a suspect system And the legal aspects of what you you have to keep in mind When you want to ensure that you you know have everything done properly when presenting it in a court of law so I Will do my best to get through the slides if you ask me a question that I cannot answer Hopefully Rob is around here somewhere and he will unofficially answer your question But Here we go. All right, basically the the most important thing you need to keep in mind is that when you're when you have a system that that you Suspect has you know been tampered with or has something that you're interested in And checking that you have to ensure that you do not alter or contribute to the modification of files on that file system Because that that's like the first way any time you any time you actually open a file you modified Whether you realize it or not you you change the access times you change quite a lot of Very subtle metadata associated with that file so it's important that you follow certain very very strict procedures to try and Intrude as little as possible on the suspect system Oh, and by the way the typos are not mine So one of the first things you have to consider is whether or not if it's a running system you have to actually look at the Entire aspect of what the system is doing you have to consider is it connected to a network? Is it currently powered up as it powered down if it's powered up is their data that's actually held in memory that you want to try and access Because some some people when they tamper a system will leave a trojan behind and as soon as they see You know some sort of shut down procedure or whatever It will remove whatever data you might have actually been in interested in so you have to actually be very careful about about Not doing something without thinking through thoroughly first what you want, you know what what may be the ramifications of what you're doing So But as Rob says here and You only get actually you only get one chance to do it, right? Because as I mentioned previously if there if the system has been trojaned There's a good possibility that if you if you're not careful when you do the wrong thing you lose everything you were actually interested in There's many many ways to actually acquire the data That that without you know modifying it too much I I personally some of the things that Robin has in here. I haven't used because frankly, I'm a UNIX bigot so caveat emptor Also every every intrusion is is Is a unique situation? I mean, you know, it could be a standalone system. It could be native. We could be talking about ATMs You know, it could be a system that that's connected to a network. It could be a multi-home system You don't know so you actually have to be very careful and document your your your Your entire data acquisition process and by by documentation I actually mean, you know photographs notes as well as Acquiring the actual file system data that you're interested Basically what the talk will cover is What what? What are you actually trying to to accomplish with the forensic acquisition of the file systems? and what What things can make that difficult what or or impossible depending on how badly you screw up He also he will we will also cover the preparation the proper preparation of evidence media so that it is admissible in court and If done correctly doesn't get struck down or mitigated As well as the proper handling of the suspect system you're you're not actually going to Utilize that the potentially compromised system for anything more than acquiring a copy of the data off of it and Then at that point you will enter the suspect media into your chain of custody So that you can you can have a very distinct trail of who has had access to the suspect media And when and what was formed so this is all basically required for it for your court cases to ensure that There is no doubt that Whatever was being alleged to have been found on the suspect media was not put there by you or somebody else involved in the prosecution There's actually multiple ways to do it as I mentioned earlier There there are hardware solutions for for accessing the copy of the data on the suspect media. They're also Software mechanism for for doing the same thing. They all have they all have you know certain certain abilities that Make them unique some of and then they all have their limitations So you may actually want to use more than one method to acquire your your suspect media data to do it for now for a later analysis And the other thing that you probably want to you're going to want to do is use some kind of Integrity verification mechanism generally that that would be a cryptographic hashing Say that that you would take of the file system image So that you can further prove that it has not been tampered or altered in any way since you acquired the data I Am not a lawyer Rob also is not a lawyer So do not consider this talk as legal advice or legal opinion neither neither of us actually speak for anyone other than ourselves and Most often we don't do that very well So if you if you if you actually you know want to do these things If you do it in the privacy of your own home or whatever that's fine If you if you decide after sitting through this talk that you're now a forensic specialist And you go and try and perform one of these Perform a data acquisition on on a suspect system at your work and you screw up the boss's computer and he's pissed off Not my fault so You really out of check with the policies of your organization your IT staff you know your Legal staff before using any of these tools in an investigation, and I frankly Would suggest that you spend a lot of time doing this before you even think you're going to do it properly because it is a very exact And a very precise process that must be followed in in order to not Taint the the data that you're going to present in court This is basically a glossary of terms that that you should be familiar with To make the talk a little bit more understandable by digital evidence. He basically Basically that that is the file system on the suspect System that you're you're you're trying to acquire Suspect or original drive Suspect media or original drive media is basically the the possibly tainted system or the possibly malicious system that you're interested in Forensics a media or evidence Drive or media is is basically the the tools that that you will use that to acquire the is It's basically the the system that you will use to actually acquire the data off the the suspect system Acquisitions and imaging basically That's two different terms for her for for a quad grabbing all the data off the suspect system Imaging is just basically creating One or more image files of the suspect system that are a bit for bit copy so that you get everything Not just files the the files that are on there. You you get the slack space Many people don't actually realize that when you when you delete a file You're not actually erasing that file what you're doing is deleting an entry in a master database on the drive This is okay to overwrite the the this space on the drive, but that doesn't necessarily happen right away and Not only that when you copy a file you quite often don't copy just what you you Think you're copying if you open up a document and you write a couple of things into it and then save it and then you open It up later and delete one of those things because you decide that whoever you're giving the document to Has no reason to know that stuff That data is actually still lying around so when you copy that that file over somewhere else What you thought you deleted is actually still there in what's called slack space And so you have to you have to be very very careful about Imaging the entire file system so that you get things that are in slack space that may actually be pertinent to what you're interested in Okay the next thing is chain of custody chain of custody is basically nothing more than then a Hard copy of every every individual has had access to the suspect system as well as the the Forensic media system and what they did and when they did it and things like that because these have to be the chain of custody is Inmissible item in a court case very good verification hashes and checksums. That's what I mentioned earlier about wanting to Create a hash to to check the integrity of your of your acquisitions file system so that you can prove It's not been tampered with trustic forensic environment is essentially the the acquisition system Because it must it must actually you must have it so that you can prove that it is The integrity has not been tainted at all on your system because if everybody in in a particular area has access to your your forensic acquisition system then you can't prove that somebody hasn't altered that to Modify whatever whatever data you're trying to to acquire to hide whatever they're interested in hiding so trusted forensics Assistant the trust forensic environment may just basically means Having a means of proving that that your your acquisition system is Exactly what you you think is it is and nothing more Original copies and work copies basically the way they can't figure that out. They're pretty weak I know but basically the way you do it is you don't you never actually want to do any analysis on On your suspect system you you want to capture all the data from the suspect system on to a separate piece of media that separate piece of media actually then is what gets admitted to court and Quite often you will have that as your means of Analysis to so what happens is you basically you you capture all the data off the suspect system And once you you've done so and the system has been entered into the chain of custody then that suspect system is you know Pleased in it in a Lock space where nobody has access to it anymore Okay, it does not fully cover acquiring volatile system information basically there's only Slight slide information here on how to actually capture data that that resides on in memory on a running system There's too many too many different systems and tuning too many different ways to actually do it in a 50-minute talk to adequately explain all this Quite often you you when you're trying to grab data from memory your system will write out, you know Temporary files and things add to the to the file systems You have to be very careful that that when you're trying to grab volatile data You're not you're not modifying the file system that you're interested in as well a you need and the third point is That you as I said it has to be it's a very exacting process so you want to You want to make sure that you know exactly what to do What what you're going to do and carefully step through those don't you know don't take any short cuts or you know and frankly I When I have done forensic acquisitions, I will Or or some of my staff I will actually have it written set of steps and insist that they follow me No matter how many times they've done it. That's the only really care away You can carefully not miss something or potentially Taint the system you're interested in Volatile example the volatile data would be you know run runtime and performance Stats which is basically in most unix systems, you know things in the the pseudo proc file system Time date time zone settings old, you know all these things are are volatile because some of them are Easily changed The the active running process listings is another volatile thing because as I mentioned earlier if there's a trojan and You trigger that trojan it may either stop running whatever a process that it was running that you were probably interested in or If some of you have attended the root kit Talks you'll see that they can hide those processes to keep it running, but you won't be able to actually find them Logged in user listings that obviously is for a network connected system Open files libraries DLLs and use basically You know, it's it's different for every system, but you can easily you know Find find all the files that that are currently in use through the the system processes and and again if you're not careful If there's a trojan or if it's a network enabled system and the person that that is doing what you're interested in It's actually online and finds out they may they may stop What they're doing unload unload any libraries that that are being used by whatever process they're doing and and You will lose data that that you potentially need in your prosecution network activity again, obviously For a network enabled system is you know, what what actually is going on? If if you if you walk up to the system and immediately pull the network cable out of it You may actually lose Data that that you're interested in for your prosecution because that may that may trigger whatever network system Process was going on to either stop or well, obviously it won't be communicating anymore and that may trigger it to stop or hide itself Perhaps the the data you're actually interested in is an ongoing streaming of you know pornographic material or you know illegal film, you know file-sharing activities and If you're not careful those things that that you need to acquire may stop So you have to be it goes back to the being very careful about following your steps and and not deviating from those Let me see Yeah We're not going to cover sell your phones palm You know PDAs wireless and wired network communications wireless program of keyboards and the e-prom's It would just simply take too long and obviously I'm taking too long as it is so Without further ado That this the first bullet up here is actually something that that is is quite often looked over Overlooked by by people that don't do this all the time You know it is a potentially a crime scene So you you want to you want to make sure that if you're going in and look in the system You you want to ensure that you know if you start tapping away on the keyboard You're not you're not destroying fingerprint efforts that might be there as I mentioned before you you definitely want to document the entire Area that you're working in Photographically so that if something you know somebody comes up and says well, you know that wasn't my system You have you have visual evidence that you know, whatever whatever they're claiming is probably not true You want to take a look at every cable connection whether whether you know the system is is never enabled if it's connected to a wireless network If it's connected to a cat5 fiber network if it's multi-home if there are you know modems so you want to carefully carefully document all that both both in in written form and in photographic form and Consider every incident as if is it going to trial which you know basically goes back to Set up a certain set of Steps to follow and don't deviate them deviate from them regardless because if it goes to trial You're going to need all the evidence that you gather if it doesn't go to trial. There's no big deal Having more evidence is you know actually a good thing Yes, do not examine your evidence at all until you've properly made a forensic image The reason the reason that he says that is basically Because if you're not careful you will take the data by by altering access times and things like that so you want to make sure that you have a complete and thorough forensic image so that if if Somebody questions something you can actually go back and acquire a second copy of the the suspect data without having to to access the suspect system You you should you know try to try to interact with the system as little as possible I mean if you have to sit down at the suspect system itself you need to be very careful, but generally you want to not ever do anything or or Attempt to check anything on the suspect system. You want to actually make a copy instead and Store again store everything in a safe location, which basically generally for me since I work for the government and yes You can spot the Fed now It means a GSA safe with it with a high-security lock That's another means that that gets documented in the chain of custody that proves that you know It was difficult if not impossible for someone to have a tainted the the system data that you're presenting in your court case Pretty much all this just really says is to keep track of what you fucking do I mean if you're ever going into a government investigation You're gonna be working with people who've done other types of investigations mostly physical And you just need to make sure you don't tend to digital data The chain of custody is exactly the same for physical data as digital data as long as you don't taint it All these things are just reiterating how you have to be careful not to taint what you have not to modify anything and Only work on copies of it just it's a very simple concept to or anybody who's ever blown out some data on your home Or on any machine you're working on backup first work on your backups don't work on the true copies And it's just very important forensic analysis, right and the first two kind of reiterate what I've already beaten to death, but Now collate mail DNS another network and service logs to support and verify your fires Findings not everything you're interested in is actually right there on the suspect system, you know, you may actually have Network processes like mail being sent out if the system has been taken over by a bulk mayoral or whatever And you're gonna find corroborating evidence on other other systems on that network So, you know, don't just consider the the suspect system as the sole thing to be investigated And always be able to verify the integrity of your evidence that that basically means, you know Be very careful about taking it creating your your file system images and then create cryptographic ashes of them Whether you use md5 sh a1 whatever you need to be able to to prove at some point that Nothing on the suspect system has been altered Yes, never use a tool you're not familiar with on live or original evidence against this just basically says a you know If you don't know how the system works then find someone else to find an adult to help you Or a 12 year old boy Okay This is some more of the documentation you want to itemize all the all the actual hardware involved With the physical context I mean you want to you want to sit down at some point after you've gotten your file system data off and document the actual Computer system that's involved or or systems and you'll want to actually as the example that's given here You're gonna want to actually Want to document everything that that uniquely identifies every piece of hardware in that system Basically, it's just be incredibly anal Because you know a defense lawyer is going to challenge everything possible and you have to be very careful and Capable approving nothing has been changed. Nothing has been swapped out. Nothing has been you know modified or tainted logical context is basically On a eunuch system for example or even or even on a Windows box You know all the mounted all the mounted file systems, whether they're network mounts whether the local mounts or whatever You want to actually document all the logical things as well to Again prove that that when they see the the suspect system in court that it's exactly the way it was when when you began your forensic investigation Because you you will be you know if it if it goes to trial you you will end up Testifying as to exactly what you did how you did it and and why what you did Hasn't hasn't you know caused the data that's being entered into the legal record To be to be tainted or suspicious Chain of custody Quite often will be challenged. That's why that's why you need to keep a very full chain of custody Very thorough. Yes Have to be what have to be what? Ah the question is does the person doing the the the data acquisition have to be an independent Person so that there's no conflict of interest Well, it really depends on the situation. I mean if it's if it's In Rob's case basically he he works for health and human services and they they quite often have to deal with you know Potential medical fraud and things like that So they're not letting the IT staff of the the office Investigate that and yes quite often you want to make sure that the person is independent because if you can't trust your forensic Investigator then how can you trust the evidence that's being given to you to take trial? So yeah, you you would want to make sure it's an independent individual or or company Quite often though in large in large companies they They will have you know a data security team and in the forensics team that that While they work for the same company they have no vested interest in protecting any particular person in that company So essentially they are independent as much as a company employee could be But yeah, I mean if you if you have the chance to get somebody who's independent totally from the outside Yeah, that's probably the best best way to do it There's one question. We do need to bang through the stuff pretty fast But let's let's hit the question real quick and then we'll bang through it fast. It's a question correct that Document documenting the hardware and everything is If I didn't make that clear You would actually do that after you've already Assured that you've you've acquired all the data you're interested around the suspect system all the all the file system data All the volatile data and everything and you're convinced that okay, there's nothing else I want to you know, I will need to gather from this Running system or this this system. I'm interested in now. I can actually begin to document The the components of the system itself. So yes, that will come at the very end because as Rob pointed out to me Some of the things that he investigates It's it's physicians offices, and they can't afford to have the potentially compromised system Removed from the office. So, you know, basically you have to you have to try and document everything and then get you get a verifiable forensic forensic image and then Leave those the actual suspect system, you know running in that in that office because you can't Alright Some of the things that you you basically need to understand I think everybody in here if they don't understand a partition table file system. They need a beating Well, do you guys want want me to go over? Okay, then we'll move there. Fine. No problem. Yeah, all that stuff If something is basically beating a dead horse, let me know because thank you You know keep in mind. We were in jeopardy two nights in a row Beer is evil. No, it's beautiful. All right You're gold basically you want to make an exact copy the backup basis more beating a dead horse. It looks like Yep, skip that one. All right, don't fuck with it. I got plenty of tools. Yeah. Well, I've only hit the second part All right Yeah You one thing that you have to keep in mind a lot of drives now will have hose protected area You know device configuration overlays things like that And you have to be very careful with your tools to ensure that when you when you're acquiring data off the actual hard drive file system that you're getting the entire contents of the file system that that you're not missing some portions of the the system that are being hidden by the bios or the dry bios In in older and older Lennox two four ones for example some of some of the hard drives with odd odd number of sectors would You if you weren't careful about how you acquired that file image that you would actually miss a portion of the drive because The the drive itself would report back that it was smaller than it really was Tool needs to be tested by an independent entity Don't write basically don't write your own forensic tools is all this says Go go you use something that that Has been proven to work and proven to do exactly what you want and what you expect so that you can back that up in a court of law More dead wars One of the one of the thing yeah preparation of the forensic hard drive basically The drive that you're going to to use to drive or tape that you're going to use as a copy of the suspect system You you want to wipe that drive? Before you actually use it and and as as is suggested here you want to you want to wipe it with a known Known pattern you don't want to use like dev random because you don't want random stuff over right in that drive You want to use something like dev dev zero so that is all zeros so that you can guarantee that you know everything that gets put on that drive You know was put on that drive when you did so it with it. None of it was pre-existing and and This basically ensures that and this will also be part of your documented investigation notes And again some of the the host protected area and things like that You have to make sure that that you know whatever tool you're using to format the drive prior to using it You know will actually Overwrite those areas as well This is how to do it Yeah, read the CD feel on the wiper drive Yeah, D-Band is a very nice CD-ROM based system that will that will work on both x86 and max if you have to deal with a macOS system G disc These are basically just a lot of a lot of known trusted tools for for properly wiping the forensics acquisition system before you actually begin to use it Alright, yeah, basically DD the nice thing about DD is is that You know it does a bit for bit coffee and then afterwards to make a cryptographic hash and to prove that later just about I'll get to you to prove that that nothing has changed the Crypto cat net and net C which is actually net cat There's a there's a way if your system is is running and and you need to access the You want to save the stuff on a on a forensic system that's actually On the network or on a network or somewhere else you can pipe the you can pipe the Output from DD to net cat so that you're actually not storing your your acquired image Locally anywhere you're actually storing it somewhere else, which is another means of of ensuring That you don't modify anything volatile or or existing on the file system Yeah, you had a question back here that that is true and I'll go back to the first caveat which is this is not my slide Yeah, we'll get there later in the slide this bank through them pretty quick. All right It quite often quite often if you're doing this by hand is slow process There are hardware systems that will that will image the drives thoroughly that will do it very well and and Far more quickly Let's see Basically just saying in real life you run across shit that you're not expecting you're not going to run into the perfect scenario every time And because of that shit happens Your hardware may not work right to your you may go to plug into a port that's busted The keyboard may be cracked in half. You never know what's going to happen. Sometimes shit happens. So Cover your ass. Yeah No, no never never yank the power die. Well, if you just yank the power you you're losing so much of all the information You're screwed. Yeah, we yank you the power everything that was that was being held in RAM gone and If you sat if you sat in on the root kit The root kit talks that that were presented here. They're actually a root kits now that live in RAM Live in memory solely and you'll lose that you'll lose all evidence of it Well, it depends on what you do and if you are going to shut down if you do your data removal first It's all in the path of every machine is different and what you can do is different in every situation In some situations you'll walk in there and be able to just image everything including the RAM in some situations You'll walk in there and some guy'll start shooting at you and put a bolt through his computer different situation different times right You you obviously don't want to install your forensic environment on the suspect system. So what what you want to do Some people actually use the suspect system to to create copies of the suspect system I personally don't prefer that that be done but one way to do so is to You know have a bootable DOS Linux or BSD disk at with with that has been designed specifically for forensic use and I believe he has examples of some of those As we go along Image master is one that actually has a pre a preconfigured. I think it's a win 98 environment That has actually been modified specifically for forensic use Nopics is a is a reasonably user-friendly method for doing this. Although there are caveats you have to you have to You have to throw the no swap command line at your at your kernel boot up because otherwise One of the problems with some of the nopics systems is that basically if it finds a swap space It'll try mounting it and if it when it goes and starts looking at all the drives on this attach to the system that it's booting When it finds your your suspect file system if it finds the a swap space on there, it's gonna it's gonna It's gonna go ahead and then and bring it up At which point you're now losing you're losing the integrity of some of the data on that file system Older version and if you do use nopics You need to be very very careful to make sure you use one of one of the more recent releases because older versions have Do have some issues for example Some of the older ones even if you gave the no swap command of the Grand Laid it would just happily ignore it and Yeah, the caveat of being you know not just because the version is newer It doesn't mean that it doesn't have a different bug that will affect you So no never never actually go fire up nopics to do your forensics without actually having done it somewhere else first So that you again have a trusted forensic environment And you know exactly how it's going to act and what's gonna happen so that you can protect the integrity of the Suspect system that you're interested in Again this just goes over some of that some of the basics of how to build the Forensics system environment seating. Yeah, go to those links if you want to get good shit. Yeah Modcom I believe is a Dotspace one, which is actually pretty good in case the forensics version in case it's actually it doesn't doesn't The licensing doesn't actually require you to pay for it More stuff just go to all these sites sure fire is actually an optics-based one These are all these are all URLs And I believe they will have they will have Rob slides up on the Defcon side so you can get over from there Yep, I saw some of the penguins sleuth gate guys around here Let's see these are these are commercial hardware solutions These are systems that actually will do the data acquisition for you But it's a hardware device which which as was mentioned earlier depending on how big the the suspect file system is it could take hours and some of these systems have been Built and optimized to the point where They they like image master. I believe we'll get a throughput of something like two two gigs Like two gigs a minute and you know on a large drive. That's kind of nice Rather than taking a day or two. This has a side note I mean I personally don't do data forensics But a division of the company I work for does and we just released a press release Which I don't know what the fuck it means. I don't know what computer does hell But we evidently did five terabytes of data in under 24 hours of friend and did forensic analysis and everything else So they say that's good, but that sounds like a lot of data to me. I'll take a hell of a long time with some of those other solutions and just more These are just examples of If you're using a tape system For example, if you have a raid system and and you need to get some data from a previous day for your investigation These are methods that you can use to to actually read data off the tape to put it onto your forensic environment to for analysis later These are these are other other means of creating your forensic media Hardware right blockers This is this is basically a hardware Solution to ensure that that you don't you don't actually modify the the suspect drive I Personally use a UNIX environment so that I can mount the the suspect system read only That's not always the possible with Windows again, here's and and you know just examples of Software right blockers One of the thing you want to do is is Possibly you may be you may be having to acquire a raid Image so you're gonna want to have you're gonna want to have your forensic system To be as optimized and powerful as you possibly can to you know make the process not be a lengthy horrible thing so ATA ATA promised ATA raid serial rate is actually a very reasonable and inexpensive raid solution These are again commercial software data acquisitions solutions and more dent horses and Then the free solutions these actually are Forensic forensic acquisition systems that are available to law law enforcement only They they essentially do the same thing that that all the other ones do but they've been specifically designed to to ensure that that they they Actually do what is required to properly prosecute and These are these will snap back an in-case enterprise Are capable of of doing imaging over the network? Which is that way you don't have to do things like DD and then pipe it out to netcat things like that of course They're quite expensive as well Okay, basically This if the system is running raid you need to be very familiar with how raided how raid works and You know what what each different type of raid how it's set up so that you ensure that when you do or acquire the raid Raid array that you that you again or acquire acquiring the entirety of the Virtual file system that that makes up that system This is an interesting thing that that I actually didn't know until I talked to Rob yesterday on Mac OS on More recent versions of Mac OS if we actually hold up the T key hold the T key down on on boot up It becomes it boots up into what it what it refers to as disc mode and that Mac then essentially becomes an external firewire drive that you can use as a as a Live forensics environment to toss data on to Image integrity. There's there's checksum. There's hashes. These are all different means for for verifying and Providing proof of the integrity of the suspect system data Yeah, yeah MD 5 actually recently they've discovered that their possibility of collisions thus Thus I would say a good defense lawyer might be able to bring up enough technical data To prove that the MD 5 Hash may not actually be valid At least enough to create doubt which would you know then sink your your your prosecution So I personally prefer SHA one some These are just these are just commercial versions of hashing applications Okay These are different formats that the one I've basically talked about the entire time is a DD is basically a raw bit For bit copy of the drive in case quite often all the all the the commercial systems are capable of reading the the Disc image the proprietary disk images that are made by all these different all the different other products like in case It's a safe back snap back and smart Basically more and you know for more information. These are a lot of a lot of a lot of URLs where you can find a ton of a ton of information on Data forensics and there are there actually is a forensics mailing list Currently don't know what I think I think it's on security focus. So you might check and that's about it questions, yes right Correct on on the on the on the other systems that may actually affect it that are on the network You don't actually need to you don't actually need to get a get a forensic image of that server Because that's that's just an external system that just supplements what you're doing It is difficult, but but but you know being very careful about Documenting what you did to get that corroborating data and and you know doing things like okay I took a snap of the file system make it and make a hash of that that log file You know that and then enter all that into your chain of custody documentation that will help So it's all about documenting even if you can't verify things all about documenting. Yeah, it's basically just document the whole lot of everything Yes, sir on the right side There's various programs almost all of those programs can handle it Yeah, some some of the commercial products will actually Access the memory contents as well. I personally will we'll just cap the contents of the the Colonel proc file system and cat it out across the net so to another system Left side Louder Yeah, yeah, so I generally will not use DD on a live system What what I will do is try to document when the few times I've had to do forensic as I said I'm more of a network security monkey than than a forensics guy, but the few times I have done investigations on on You know potentially compromised systems. I Basically, I did not do the DD copy On the running system. I got on this I got on the running system as as you know Unobtrusively as I possibly could documented the hell out of everything that was on there as much as possible And of course you're you never guaranteed you're gonna get everything You know if there's a if there's a really really well done route kid on there You're probably not gonna find it, but you try your best to find everything that's potentially running And then and then eventually at some point you do shut down the system and then you make your bit for a bit copy of the the the hard drive itself and Is that I'll get you as I mentioned with with respect to raid systems You actually not only have to ensure that you you get all the data from the raid system But that you can actually recreate that raid array properly so that so that it will not be questioned by the defense Well, it will not be successfully questioned and thrown out that you can prove that you acquired that and and that You acquired it properly and what what the jury is being presented with is exactly what was on the suspect system But yeah, you will have to power down the system before you take the image of the actual file system itself Yes, I'm if properly entered into the chain of evidence chain of custody Yes, and and you know if you can if you can if you're very careful about documenting How you acquire that data and and and all that yeah Yeah, absolutely We need to go. All right. Thanks Thanks, sir