Difference between pages "Training Courses and Providers" and "How to image an IDE disk with aimage and FreeBSD"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(NON-COMMERCIAL TRAINING)
 
m
 
Line 1: Line 1:
This is the list of Training Course Providers, who offer training courses at specific dates/times and locations (referred to by [[Upcoming_events]]). 
+
Here is a photo of my disk imaging system:
 +
[[Image:ImagingStationx4.jpg|320px|Photo of an open computer with 4 hard drives connected.]]
  
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
+
Key elements of the disk imaging system:
Providers of scheduled training course should be listed in alphabetical order, and should be listed in only one section.  Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement. Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite).  Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
+
* You need to have an internal IDE card which is not used for anything but disk imaging.
 +
* You need to have an external hard drive power supply, so that you can power the IDE drives without using your computer's power supply. (If you use your computer's power supply, you can easily crash your computer when attaching or detaching the power supply.)
  
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience. Such restrictions should be noted when known.</i>
+
=Imaging Checklist=
 +
Here's how image
 +
# [[How To Set Up a Disk Imaging Station|Set up a disk imaging station]].
 +
# You should have a 50-pin IDE ribbon cable going from your IDE controller to the desktop.
 +
# Do not connect your imaging drive yet!
 +
# Boot the computer in FreeBSD. 
 +
# Attach the IDE hard drive to the ribbon cable FIRST.
 +
# Now, attach power to the IDE drive.
 +
# You need to determine which ATA port the IDE drive is now connected to. In all likelihood it is <tt>ata0, ata1, ata2</tt> or <tt>ata3</tt>. If you have an internal hard drive on an IDE interface, then the internal interface is probably <tt>ata0</tt> and <tt>ata1</tt> and the external is probably on <tt>ata2</tt> or <tt>ata3</tt>.
 +
# You also need a place to store the AFF files you are going to be creating. I usually put them in <tt>/usr/affs</tt> which is a directory you will need to create.
 +
# Log in as root.
 +
# mkdir /usr/affs
 +
# Now, try to image the drive with this command:
 +
  aimage ata2 /usr/affs/disk1.aff
 +
# If this doesn't work, try:
 +
  aimage ata3 /usr/affs/disk1.aff
 +
# If it works, you'll see the aimage program running.
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv.
+
=What can go wrong=
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
* aimage may not be installed. If you get the error message "aimage: command not found" then you need to install AFFLIB and then make sure that the aimage command (usually installed in /usr/local/bin) is in your PATH. You can check this out by running "/usr/local/bin/aimage" instead of aimage.
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
* Your source drive can be broken. aimage should tell you this.
 +
* You can run out of disk space. You need a LOT of disk space to store disk images --- figure 30GB to image a 60GB drive.
  
==NON-COMMERCIAL TRAINING==
+
=What to do after you have made your images=
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Once you have made a few images, you'll need to put them somewhere. Typically this means uploading them to a server somewhere.
|- style="background:#bfbfbf; font-weight: bold"
+
=See Also=
! width="40%"|Title
+
[[How To Set Up a Disk Imaging Station]]
! width="40%"|Website
+
[[Category:HowTos]]
! width="20%"|Limitation
+
|-
+
|Federal Law Enforcement Training Center
+
|http://www.fletc.gov/training/programs/computer-financial-intelligence/technical-operations
+
|Limited To Law Enforcement
+
|-
+
|IACIS
+
|http://www.cops.org/training
+
|Limited To Law Enforcement and Affiliate Members of IACIS
+
|-
+
|SEARCH
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|National White Collar Crime Center
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited To Law Enforcement
+
|-
+
|Las Positas College
+
|Computer Forensics Classes and Certificate
+
| Networking, Security, WhiteHat, WireShark
+
|http://www.laslpositascollege.edu
+
| All classes available Distance Ed.
+
|}
+
 
+
==TOOL VENDOR TRAINING==
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
|-
+
|AccessData (Forensic Tool Kit FTK)
+
|http://www.accessdata.com/courses.html
+
|-
+
|ASR Data (SMART)
+
|http://www.asrdata.com/training/
+
|-
+
|BlackBag Technologies (Macintosh Forensic Suite and MacQuisition Boot Disk)
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|CPR Tools (Data Recovery)
+
|http://www.cprtools.net/training.php
+
|-
+
|Guidance Software (EnCase)
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Nuix (eDiscovery)
+
|http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
+
|-
+
|Paraben (Paraben Suite)
+
|http://www.paraben-training.com/training.html
+
|-
+
|Technology Pathways(ProDiscover)
+
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
+
|-
+
|SubRosaSoft (MacForensicsLab)
+
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
+
|-
+
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|X-Ways Forensics (X-Ways Forensics)
+
|http://www.x-ways.net/training/
+
|-
+
|}
+
 
+
==COMMERCIAL TRAINING==
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
|-
+
|Computer Forensic Training Center Online (CFTCO)
+
|http://www.cftco.com/
+
|-
+
|CCE Bootcamp
+
|http://www.cce-bootcamp.com/
+
|-
+
|e-fense Training
+
|http://www.e-fense.com/training.php
+
|-
+
|H-11 Digital Forensics
+
|http://www.h11-digital-forensics.com/training/viewclasses.php
+
|-
+
|High Tech Crime Institute
+
|http://www.gohtci.com
+
|-
+
|Infosec Institute
+
|http://www.infosecinstitute.com/courses/security_training_courses.html
+
|-
+
|ManTech Computer Security Training
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Mobile Forensics, Inc
+
|http://mobileforensicsinc.com/
+
|-
+
|NTI (an Armor Forensics Company)
+
|http://www.forensics-intl.com/training.html
+
|-
+
|Security University
+
|http://www.securityuniversity.net/classes.php
+
|-
+
|Steganography Analysis and Research Center (SARC)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|SysAdmin, Audit, Network, Security Institute (SANS)
+
|http://www.sans.org/training/courses.php
+
|-
+
|Vigilar
+
|http://www.vigilar.com/training/
+
|-
+
|}
+

Revision as of 02:25, 7 February 2008

Here is a photo of my disk imaging system: Photo of an open computer with 4 hard drives connected.

Key elements of the disk imaging system:

  • You need to have an internal IDE card which is not used for anything but disk imaging.
  • You need to have an external hard drive power supply, so that you can power the IDE drives without using your computer's power supply. (If you use your computer's power supply, you can easily crash your computer when attaching or detaching the power supply.)

Imaging Checklist

Here's how image

  1. Set up a disk imaging station.
  2. You should have a 50-pin IDE ribbon cable going from your IDE controller to the desktop.
  3. Do not connect your imaging drive yet!
  4. Boot the computer in FreeBSD.
  5. Attach the IDE hard drive to the ribbon cable FIRST.
  6. Now, attach power to the IDE drive.
  7. You need to determine which ATA port the IDE drive is now connected to. In all likelihood it is ata0, ata1, ata2 or ata3. If you have an internal hard drive on an IDE interface, then the internal interface is probably ata0 and ata1 and the external is probably on ata2 or ata3.
  8. You also need a place to store the AFF files you are going to be creating. I usually put them in /usr/affs which is a directory you will need to create.
  9. Log in as root.
  10. mkdir /usr/affs
  11. Now, try to image the drive with this command:
 aimage ata2 /usr/affs/disk1.aff
  1. If this doesn't work, try:
 aimage ata3 /usr/affs/disk1.aff
  1. If it works, you'll see the aimage program running.

What can go wrong

  • aimage may not be installed. If you get the error message "aimage: command not found" then you need to install AFFLIB and then make sure that the aimage command (usually installed in /usr/local/bin) is in your PATH. You can check this out by running "/usr/local/bin/aimage" instead of aimage.
  • Your source drive can be broken. aimage should tell you this.
  • You can run out of disk space. You need a LOT of disk space to store disk images --- figure 30GB to image a 60GB drive.

What to do after you have made your images

Once you have made a few images, you'll need to put them somewhere. Typically this means uploading them to a server somewhere.

See Also

How To Set Up a Disk Imaging Station