Forensic Dead ends

[Ipsec Espah]

Say you found the IP of someone who hacked in to a network you are investigating. And you decide to follow through and you want to prosecute him. What would happen if you went through all of the hosts he used as proxies and then you get to one IP and that person said that he found out earlier someone had hacked him as well, so he did a low level format on his hard drive. Would you be able to subpoena his ISP's records and somehow tell if he really was used as a proxy for the attack or if he was indeed the attacker?

Or what if someone was war driving and used a wireless LAN for internet access to launch his attack, and he changed his IP/MAC address to match one of the hosts he sniffed earlier that had been shutdown over the weekend. Would there be any way to find and prosecute the attacker in either of these scenarios?

Also SafeBack freeware? Cyber Forensics--A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes says it is freeware but i haven't been able to find it for free anywhere.

[er0k]

there are ways, ask www.fbi.gov :P

[11001001]

You as a citizen can not subpoena anyone. However, if you feel so inclined, you can report the crime to your local or state PD, or your atty. general's office. the FBI doesn't usually get involved with *smalltime* hacks. However, it doesn't hurt anything to check with the local guys and see what they say. Be sure to tell them what evidence you've already gathered.

-11001001

[er0k]

Originally posted here by 11001001
You as a citizen can not subpoena anyone. However, if you feel so inclined, you can report the crime to your local or state PD, or your atty. general's office. the FBI doesn't usually get involved with *smalltime* hacks. However, it doesn't hurt anything to check with the local guys and see what they say. Be sure to tell them what evidence you've already gathered.

-11001001

i was referring to the methods used to obtain that information that was deleted or discarded, not the fbi being involved every time. By saying ask fbi.gov i was saying "Ask them how its done"

sorry if i wasnt clear enough.

[11001001]

Sorry 'bout that er0k.

[IchNiSan]

If you have physical access to the drive, or can get it by way of law enforcement, have the drive sent to someone who specializes in data recovery, like

http://www.datarecoverygroup.com/

They can almost always recover some(if not most, or all) data from even a formatted drive.

There are apps out there which will let you do this yourself, but the windows apps are so so.

You may want to look at the coroners toolkit, here is some info

http://www.sans.org/rr/paper.php?id=651

Whatever you do, if you plan to take legal action, you must be extemely carefull in how you deal with evidence, the chain of custody, etc. etc.

lots of info available here...

http://www.sans.org/rr/catindex.php?cat_id=27

and for disaster recovery

http://www.sans.org/rr/catindex.php?cat_id=16

In the real world, you probably want to make sure that you have a lawyer(experienced with the law and procedures of digital evidence) involved from the start of your investigation, or at least, as soon as you possibly can. There are many ways that you can screw up the evidence(as far as the courts are concerned anyway) and make prosecution or a civil suit next to impossible, assuming the defendant has a half decent lawyer anyway.

[SodaMoca5]

Here is my suggestion:

Report it to your local Homeland Security Expert. Mention that the IP Header looked like it had originated from a small village on the border of Pakistan and Afghanistan and it is probably linked to Bin Laden. Homeland Security will then get all of the ISP information, suspend any rights the hacker has left (it will really help if he even looks remotely Middle Eastern) and ship him off to Guantanamo Bay while they investigate. When they find out that you were full of it and that the suspected terrorist is actually a script kiddie who didn't even know he had cracked your machine you merely have to reply that you trying to do you civic duty as a loyal American supporting the war on terrorism (it might help to use a derogatory remark about the Dixie Chicks or Susan Sarandon here). This should get you off the hook, a slap on the back, and an open invitation to do it again if you should come across any other suspicious hackers.

Now to answer your question. Since you are now in good with the Homeland Security department they might let you watch as they recover data from the next hapless script kiddie you turn in.

<------------Disclaimer------------------>

Before you guys go getting all over me for being unpatriotic let me just make one statement. The previous tongue in cheek post is not meant to be derogatory to our nation or the current war on terrorism although it is meant to illustrate the dangers I feel we are facing in allowing many of our basic human rights to be infringed upon by the government. Also, there is nothing I enjoy more during the day than making derogatory remarks about Susan Sarandon (although I think the Dixie Chicks have been over punished for an immature and stupid statement that people over reacted to).

I also apologize for going so far off topic but once I started the sarcasm just flowed.

[Ipsec Espah]

Thanks guys, i reported it to my homeland security expert and they said they would get back with me...

[rapier57]

SafeBack is not free software. A quick Google search brings up their web site:

http://www.forensics-intl.com/safeback.html

"In 2000 New Technologies, Inc. (NTI), a subsidiary of Armor Holdings, Inc. (NYSE:AH) purchased the rights to SafeBack from Sydex, Inc. "

This tool is also mentioned in _Scene of the Cybercrime_ and I had already checked on the availability of the tool. It is possible that Sydex, Inc. did have a freebie version prior to being acquired.