DSL Talk

That's freaking cool!

DSL protecting ad serving!! ^_^

-----
Deep Thought was wrong. The Answer isn't 42, it's DSL!

Any thing I can do for you in MI Saidin..just ask..
:-)

--Mike
"You cannot wield it!"

What features in DSL do you make use of in your work affairs?
( Audio, logging, internet access, file storage )

ke4nt

I'd rather see civil servants use free software so that money could be freed up for bonuses, promotions, training and better equipment. Using Linux department-wide would breathe new life into old computer hardware and free up money needed elsewhere.

I wish more police departments would consider switching to Linux.

How about getting into some detail of how you are using DSL in Forensics? Are you using OS applications? Are you using stuff custom made for your needs? I am sure a lot of people would be very interested.

In foreniscs I use a program called SMART by ASR Data. I recently created a .dsl of the program that I load up into the live CD to do forenisc previews. I did the same thing for Brian Carrier's excellent Autopsy and Sleuthkit.

I've used some of the scripts from Steve Gibson's AIR tool and use DSL to create forensic images of evidence that is submitted to my unit. I commonly use dd and sdd+ for imaging.

What is a forensic preview? And what is a forenisc image? To be forensically sound any work done on computer evidence needs to be done in an environment that is under control of the examiner. Tools used need to be tested and validated; in other words you need to take a tool get a result and be able to duplicate it again and understand how it gets the results that it gets.

All our evidence is kept in a cypher locked and key carded evidence vault, that only two people have access to. Evidence is brought the unit, signed for, entered into property and then placed in the vault. When taken out of the vault it is assigned to the examiner removing it so chain of custody is maintained.

Evidence must be protected so that nothing is changed(best case scenario) or if altered, documented. Unfortunately sometimes in order to get evidence you have to use techniques that do place a small footprint on evidence. A perfect example is doing an examination on a WINCE PDA. Currently all forensic recovery on a WINCE PDA uses activesync to communicate with the device. In order to do that you have to create a guest partnership and this entails placeing a small 4k file in the memory of the device. Unavoidable.

A forensic copy is a bit by bit copy of the physical media-hard drive, compact flash etc. A forensic "preview" is protecting the evidence and then walking through it "live" to find what the investigator is looking for.

We commonly use forensic previews on Child ography cases in order to determine if the submitted evidence has suspected child ogrpahy and warrants an full exam.

One of the great strengths of DSL in computer forensics is that it runs on older hardware and with a small footprint.