June 9, 2006

Got my GCFA (GIAC Certified Forensic Analyst)

Just a personal note. Since I mentioned earlier that I'd post when I obtained my GCFA, well, I obtained it. I'm number 0434 at http://www.giac.org/certified_professionals/listing/gcfa.php.

Voom HardCopy Takes on Seagate Barracuda 7200.10 750 GB Hard Drive

(Warning: Entire post uses hard drive definitions of "MB" and "GB".)

Well, my 300 GB drive proved to not be big enough for much of a forensics workload, especially since I need to dual-boot Linux and Windows to be able to run EnCase and The Sleuth Kit as needed, so the boss approved getting a 750 GB disk. It was only $430, so the cost per GB is pretty good for a new product.

I like to make sure I start with a clean disk, so I hooked it up to the HardCopy device http://www.voomtech.com/hc.html to zero it off. Since I have the SATA-II version of the drive, I had to use my trusty ATA to IDE/ATAPI converter. The results of the drive wipe: 750.16 GB wiped in 3:23:09. That averages 3.69 GB/min, compared to the 400 GB Barracuda ATA-100, which got around 3.47 GB/min. For the first 50-75 GB or so, the average wipe speed was 4.50 GB/min, which is 75 MBps!

I still love the HardCopy, and love my new Barracuda.

April 4, 2006

Voom HardCopy

For drive acquisition, we purchased the Voom HardCopy unit from Digital Intelligence for $995. Digital Intelligence shipped the device the next day, and it works great! The URL to order it is: http://www.digitalintelligence.com/products/hardcopy/

Previously, we used an "ultimate" write block kit containing Tableau Firewire 800 bridges with a Linux PC and a Firewire 800 PCI card to acquire images. While MUCH faster than USB 2.0, the speed still left a lot to be desired. The HardCopy device has clearly been much faster than using our Tableau Firewire 800 bridges connected to a PC to acquire images.

The HardCopy device can clone hard disks, or, more importantly for us, can take a dd-style image and save it to a HardCopy formatted NTFS file system. It also can calculate/compare MD5 values as an option, and outputs the values as a text file on the destination drive. Of course there are additional features, but those are just gravy to me.

I was drawn to the HardCopy line of acquisition devices for several reasons. A big one was the writeup at http://www.voomtech.com/docs/HC2 Review.pdf. I also like that the write blocking of the source drive is within the hardware itself, and can't accidentally be bypassed. (Some devices offer you a switch or software to control the write protection.)

I do know that the review linked to above was for the HardCopy 2 device, but from all that I can see, the HardCopy 2 mostly is a new version of HardCopy containing the ability to automatically separate the output file into several chunks - so you can break large images into something that will fit on your target media. I don't expect to need to do this often, and we do have other equipment that can handle these situations (albeit they are slower). So, I didn't want to pay about $400 for more the HardCopy 2.

Another important feature is the HardCopy's ability to write zeroes to the destination drive. Reportedly, courts like to hear that the drive you copied your forensic image onto did not contain any data other than that obtained from the suspect drive. The HardCopy offers the ability to fill the destination drive using one pass of zeroes - all that is really needed to ensure old data isn't generally readable on the destination drive. (You could of course run this several times if you need several passes - as long as it's ok that they are all zeroes. I don't think you gain much by that.)

When writing zeroes in a test, a 400 GB Seagate Barracuda 7200.8 ATA-100 was seen writing at 4.16 GB/min peak, and finished in 1:55:18. A Maxtor DiamondMax Plus 9 80 GB ATA-133 filled in 32:40. Pretty impressive numbers, if you ask me.

Note that while the HardCopy only makes images to/from IDE/ATAPI (PATA) drives, a cheap SATA - IDE/ATAPI converter, such as the Addonics ADSAIDE that we purchased from Buy.com for $25.99 (free shipping) (link: http://www.buy.com/retail/product.asp?sku=10374161 works great and will let you acquire and/or write to SATA drives as needed. I have used this adapter to image a SATA drive with HardCopy, and it worked perfectly. Similar adapters are available for 2.5" notebook drives (our "ultimate" write block kit contains one).

Caveats:

  • HardCopy will write image files to an NTFS file system, but only when the file system was formatted with the HardCopy device. Apparently their NTFS partition is a little different than what Windows creates. (Although the HardCopy NTFS file system is readable in Windows and Linux - I have made sure!) The good news is, the format only takes a few minutes.
  • The "Wipe Drive" feature will write zeroes to the hard drive once. That is the only option. For folks who have a policy requiring overwriting disks random stuff, or 0s and 1s alternating, etc., this won't be usable to "clean" drives containing private data. This might be because they sell a device that will do the random passes, etc. The Voom Drive Wiper is what to look for (will let you wipe two drives at once).
  • I don't know of a way to obtain images from SCSI using this.

HardCopy URL: http://www.voomtech.com/voom_products/HardCopyS0.html

February 8, 2006

Certified Computer Examiner (CCE)

The instructor that I had for the SANS Forensics track, David Hoelzer, recommended this certification. The Certified Computer Examiner (CCE) certification is sponsored by The International Society of Forensic Computer Examiners. It's home page is http://certified-computer-examiner.com/.

GCFA - GIAC Certified Forensic Analyst

I mention this first simply because I took the training (SANS SEC 508) that it tests you on. It is generally not considered to be THE forensics training to get, but I don't think it's totally ignored either. The cost is listed at $800 (as of today), but it's $300 if you sign up for it along with the SANS SEC 508 class.

I paid for the certification attempt when I went to training in November, but haven't studied yet, let alone taken the test. I'll update this when I know more.

GCFA Homepage