Tutorial - Computer Forensics Evidence Collection

Following up on the Tutorial - Computer Forensics Process for Beginners , here is a step-by-step tutorial on how to process a suspect computer to obtain dumps of RAM memory and Disk Drive using Helix Forensic CD.

Our suspect computer is a Windows XP Virtual Machine.
Our Example Forensic Toolkit
  • Helix forensic CD - your basic tool for the investigation
  • Evidence USB - 16 GB Capacity - for removing smaller evidence files from the evidence computer
  • Analysis computer - a windows laptop, VDK driver, for the analysis computer (if using windows) - this driver will enable you to mount a DD image created during the evidence collection
  • Sophos Antivirus and A-Squared Free Antispyware detector software for the analysis computer
I. Running state evidence collection
  1. Insert the Helix CD in the suspects computer CD/DVD drive. The Helix has an autorun so should start immediately, but be careful. If you are logged on as anything other then an administrator, you won't be able to make a dump of the full physical memory. So close the autorun, and choose the Run as option to start the Helix software, and provide the Administrator credentials.

  2. WARNING - DO NOT log off the session in order to log on as an Administrator! Ending a session will inevitably change and contaminate the content of RAM, since a lot of processes are closed upon logoff.



  3. When Helix starts, there will be a warning screen stating that Helix won't be able to protect the suspect OS environment from changing, since it's running within the suspect OS environment. But, since there is no other way to take a snapshot of the ram memory, just choose accept.



  4. You will see the startup screen of the Helix tool. The first icon is just a preview of system info, so it's not too useful. Go ahead to the second option – acquisition. It will prompt you for the source. Choose physical memory, and direct the output to the evidence USB drive.
  5. Acquisition will prompt you for the source to be dumped – choose Physical Memory
    It will ask for second confirmation and will start the dump



  6. After Memory Dump is finished, choose incident response (3rd icon on the Left menu) and click on the small arrow to go to the second screen (shown below). Run WinAudit


  7. Click on the only link and let it perform inventory of the system. Save the result as a PDF on your evidence USB






After Winaudit finishes, close it, and close the Helix mainwindow. It will ask whether you like to record all activities in a PDF file. Confirm that you wish to and save the PDF on your evidence USB.
The above process will create an MD5 hash of the memory dump on the evidence USB. Open this file and take note of the MD5 hash.

II. Disk drive evidence collection
  1. Turn off the computer ungracefully, pull the plug - this will prevent any possible shutdown scripts from running and possibly erasing data on the computer.
  2. Boot it up again, and from the BIOS select to boot from CD-ROM. In a real corporate investigation, you may need assistance of IT to provide passwords, since most corporate PC's are set-up with BIOS password and disabled from booting from CD to prevent possible information theft.

  3. Boot the Helix Linux OS

  4. When booted, select Adepto from the Forensics Menu



  5. Similarly to the memory dump above, select the drive you wish to make a dump of, and select your evidence USB as destination. For hash, you can choose severa. The example is with SHA1. After the dump is finished, choose the last tab (report) and choose to save the dump report as PDF to the evidence USB.

  6. Copy all files to your analysis computer, and verify the hashes of the memory and disk dumps again using md5sum and sha1sum, whichever you used initially.


  7. Using VDK, mount a copy of the disk image for investigation. The mount command is: vdk open path_to_dump_file\dump_filename.dd /L:free_drive_letter

HERE You can download and review the forensic log documents created in this tutorial (5.19 MB ZIP file)

Helix_Evidence_Collection_Sample_Logs.zip
Verification sums:

  • SHA1SUM c7d189a78a715fd96127677d39d5ace1d5854ea5
  • MD5SUM 9b61fad0cf4418175cb7e387c6962c49

This concludes the easy part of computer forensics - evidence collection. Shortinfosec will follow-up with exercises of the analysis part.

Related posts

Tutorial - Computer Forensics Process for Beginners

Talkback and comments are most welcome

36 comments:

Anonymous said...

Consider putting the article's authors name along with the date in which it was written. When is the follow up article coming out on analysis?

Yasmara.id said...

Wow thanks, this is vey usefull info

tips paid review said...

good writing nice tutorial

mlm software said...

Thank you very much to share this information. It is very useful and informative.

mlm software

Forex trading strategies said...

This is a realy nice tutorial. Like the reading. Tnx

Benjamin Wright said...

On the SANS Institute's forensics blog, I have published new methods for preserving and authenticating evidence in a cyber investigation. http://goo.gl/ramnu What is your opinion? --Ben

Computer Forensics Expert said...

Nice post! I like the helpful information you provide in your articles. I’ll bookmark your blog and check again here regularly. I’m quite certain I will learn plenty of new stuff right here! Good luck for the next!

Anonymous said...

Athena Forensics

Interesting read thanks for the post!

Anonymous said...

electronic cigarettes, e cig, electronic cigarettes, electronic cigarette, electronic cigarette, smokeless cigarettes

ayman zaid ibrahim said...

Thank you very much! My friends and family members will be happy after hearing about this
tas wanita branded
jam tangan online
jam tangan online murah

ayman zaid ibrahim said...

Thanks a lot for sharing. Will check back later for more of your articles.
jam tangan online
grosir baju anak
tas wanita branded

ayman zaid ibrahim said...

Things are very open and intensely clear explanation of issues. was truly information. Your website is very beneficial.
glenn colton
pretty social
jual jam tangan

ayman zaid ibrahim said...

thanks for his articel can menembah my insight on the internet,
cinta akik
gemstone
portal bisnis online
kolektor batu akik
koleksi batu akik
pusat batu akik
beritabatuakik

Rosita Mae said...

thanks for sharing
Jam Tangan Online Murah
toko tas wanita online

Rosita Mae said...

thanks for sharing
Jam Tangan Online Murah
toko tas wanita online

Johan Syah said...


Thanks for sharing nice information with us. i like your post.
Toko Jam Tangan Online

Han Choe said...

Exceilent blog you have here but I was curious abou t if you knew of any communi ty forums tha t cover the same topics talked about in this article? I’d really like to be a part of online community where I can get advice from other experienced individuaIs that share the same interest. If you have any suggestions, please let me know. Appreciate it.....

Han Choe said...

I know where I'm going and I know the truth, and I don't have to be what you want me to be. I'm free to be what I want.Thankyou i reaIIy love it..

Han Choe said...

Thats a good' article, i usually amazed with' this thing, i asked myself about this opinion, I wish You'll a better articles that can make another people live..don't make the article feel rigit and isn't interesting and poor, i like to read this' article and i think this is "good".thank you' m'y brother...........

Imran Hashmi said...

Amazing! Its truly remarkable article, I have got much
clear idea concerning from this paragraph.








Adobe Creative Cloud Crack

bapak Taufan said...

Thanks for Sharing That... Sucses for You

findaunionprinter

findaunionprinter

getoifile

getdriversforpc

offlineinstallerfilehippo

theprinterdriver

esoftpedia

filehorse

caranddriver

Tahir Bahi said...

Thanks for sharing, nice blog and your article. plese visit me
IDM 6.5 Build 5 kegan
Trend Micro Antivirus
Windows 7 Product Key
Adobe Illustrator CC 2016 Crack

Tahir Bahi said...

Thanks for sharing, nice blog and your article. plese visit me
IDM 6.5 Build 5 kegan
Trend Micro Antivirus
Windows 7 Product Key
Adobe Illustrator CC 2016 Crack

atifabushra said...

Photoinstrument


google sketchup

neutron

spyhunter 4 email

Ruhama Putri said...

Thanks for Sharing That…. Sucses for You….

windowssoftpedia

pcsofttonic

epson printer driver

Festival Blog said...

Happy diwali Images
Happy Dhanteras
happy diwali photos
happy diwali quotes
happy Diwali image
happy Diwali Picture
Diwali images

Anonymous said...

Thanks for your tutorials. It really helped me. CrazyBulk

Anonymous said...

I enjoyed this tutorial. You explain it in such an easy way. Does VO Genesis Work?

camera c360 said...

Great to come to your site as the information shared is good and is explained in simple words. Good stuff you are created, thank you for sharing a nice article.

Anonymous said...

I really love this information security short takes. Tubeloom Program

Anonymous said...

I totally agree with your point of view. 67 Steps E-book

Anonymous said...

Thanks for showing this. Many people still don't know about Computer Forensics Evidence Collection. Visit Here

Anonymous said...

Your tutorial is really wonderful and it is awesome. realonlinereview.com/hard-on-demand

Anonymous said...

I love the steps of tutorials you mentioned in your post. realonlinereview.com/get-bigger-penis-fast

Anonymous said...

I really enjoyed reading this vital information. This is wonderful. www.realonlinereview.com/penis-enlargement-bible

numpangpromo said...

This tutorial is really useful for me, thank you so much.

Designed by Posicionamiento Web