Tuesday, July 16, 2013

Daily Blog #23: Go Bag Part 2 - Flexibility over possibility

Hi Reader,
      Last week I posted what was in my go bag, this week I'd like to explain more about why it's there. I used to carry around a lot of equipment with me, even lugging a pelican case around with me at one point. What I found is that I rarely needed to bring the kitchen sink with me of every possible adapter, what was more important is that I had a portable/flexible toolkit that I could fall back on in a series of steps. With what I posted I can handle 99% of situations, I've found the other 1% is so special that most people either let me know to bring special equipment or understand I'll need some time to get additional equipment.

Best Case Scenario - The system has been brought to me and its powered off and not in sleep mode and I can remove the hard drive and I have the cables to connect it to my write blocker.

    I know those of you who do a lot of memory analysis are saying, Why is the best case scenario?! The answer? It's the simplest to deal with. I can take the system, remove the hard drive, document it to my chain of custody. Then I can check the bios time and attach it to a write blocker and image it all without having any worry about my process making any changes to the evidence. The lowest risk and easiest procedure, when this is all that's involved, it's a good day.

    This sadly is not most days, many times something will gum up the works or there will be more systems to forensically image than I was told. This is where the flexibility of my go bag shines.

Common Scenario - The system has been brought to me and its powered off and not in sleep mode and I can remove the hard drive but I don't have the adapter I need

    At this point I have two options, if I have other systems I can image and there is a real computer store in town (frys, micro center, etc...) then I may go grab the adapter while I'm out for lunch. Otherwise, this is where the bootable CDROMs come into play. Booting up the suspect system I don't have an adapter for with a forensically safe OS will let me acquire his system with minimal risk and without having to wait for fedex to arrive.

    I used to use Helix Pro as my preferred Linux Boot CD but they stopped updating it, though they will still take your money for it. I now carry Raptor and Paladin with me as I've found they will boot different kinds of systems. If I can remove the drive then I can safely verify the boot order before inserting the drive again and booting it to acquire. This is where the power of the Seagate Backup Plus drive (aka GoFlex) really shows itself in my toolkit. Without the drive dock the interface on the bottom of the drive is plain SATA. So I have the option when attaching it to a system for acquisition of going USB, eSATA, SATA or firewire/thunderbolt/NAS via other adapters. It's this kind of flexibility that lets me reduce bulk in my bag and remain flexible in being able to always get the highest data transfer speed from the system I'm acquiring.

    I'll continue this series tomorrow, hopefully my lessons learned will make your load lighter on the road and lead to a higher rate of success.