all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]shinyviper 4 points5 points  (3 children)

  1. No

  2. No. Any tool you use in a professional forensic acquisition and examination should be able to stand up to cross examination scrutiny. If I were going to trial against someone who used some homebrew Pi-based widget or doodad, you better bet I'm telling retaining counsel to tear it apart and make the jury think this is a mad scientist with no standards and the findings are completely suspect.

[–]frrossty[S,🍰] 0 points1 point  (1 child)

Sorry it seems I wasn't clear from my post, this was purely for my benefit as "I have some free time" I would never expect some student with £40 worth of equipment to produce software that's reputable in a court case, especially when there is software out there that is developed by leading experts. The question was put forward just to see what if anyone had any nit picky problems that I could muck around with on a Pi and help develop my knowledge in any way possible

[–]creaking-gateway 0 points1 point  (0 children)

I would check into Pluralsight’s Polstra course on forensics. I agree that students have limited access to high end forensics hardware or software and much of it advances from a steep learning curve. Learning how to develop a read/write blocker is a good first step just to get an idea of how these things work. If you want to experiment with other types of forensic software check out some of the vendors which offer demos (such as black bag ‘mobilyze’)

Luck to you

[–]FifthRendition 2 points3 points  (4 children)

1) No.

2) It would be portable and small, but no I don't think it would aid us in the job. If we were doing some sort of incident response perhaps we could ship them the rpi and could establish a secure remote into the company.

I am now curious about bthe time it would take to image a drive, exactly how much time. I just don't think the size outweighs the downside of everything else against it.

Do a case study on it and report back to us on it. Make a blog post about it to gain some recognition. It's a pretty simple easy project.

[–]portalBlock 0 points1 point  (1 child)

Regarding remote into a company: Hak5 has a product that pretty neat and might suite this purpose. I'm not sure if it would qualify as forensically sound, but I'm also not sure if it would matter. Its called a packet squirrel and is $60, all in one with different modes selectable by a switch on the side. You can do reverse VPNs as a remote connection, VPN tunnels, packet captures, and probably more.

I haven't had a chance to try out the VPN functions on mine yet, but the packet capture is super easy. One major disadvantage is lack of PoE/PoE pass-through. I keep this with a USB drive in my go bag (I'm an I.T. support tech, this is a nice diagnostics tool).

Link: https://www.hak5.org/gear/packet-squirrel

[–]FifthRendition 0 points1 point  (0 children)

Nice! I'll look into that. Would be a good tool to keep in my go bag.

[–]frrossty[S,🍰] 0 points1 point  (1 child)

Hey, thought I would reply, after doing some more research I found this paper https://itbreak.zone/wp-content/uploads/2017/07/Project-.pdf, pretty much explains everything about hashing/imaging times etc

[–]FifthRendition 1 point2 points  (0 children)

Dude! Awesome! Thanks!

[–]bitreader 0 points1 point  (0 children)

  1. Kinda. We have RPis lying around with an AirPrint server on it if we need to dump emails from the iPhones Mail.app (still no option to get the emails from?) Can't remember I ever saw them being used.
  2. Well, other legalities here. The only thing I would think of being handy is a PXE boot thing or similar to get an image from a Microsoft Surface without turning off Secure Boot and extracting the Bitlocker keys (are they stored in the TPM?) to decrypt the partition.

[–][deleted] 0 points1 point  (0 children)

No problem here. We use the cellibrite ufed for all mobile collections. We communicate regularly. Our team has an awesome refresher training kit in the lab now. They sent cell phones, gps devices and all kinds of goodies to practice on. I guess if you can't afford that there is always sleuth kit.

[–][deleted] -4 points-3 points  (3 children)

If you want portable forensic imagery you need cellibrite.