I would think it would matter on the following variables: 1. What are you trying to document?- is the computer holding evidence as stored data (files) or as active processes (worms, running applications)? If I'm curious about the first, doing some form of complete imaging of the drive is the best bet. You want something that will capture invisible files, swap space and mirror everything on the drive. I wouldn't want to do that on a running machine myself, unless I suspected something triggered to erase relevant data on shutdown. If I want to capture running systems, I'd look at the process viewer(or equivalent). On Unix boxes, I'd run ps or top to identify running processes. If I'm curious about what's going on between the machine and the network, I'd put a dumb hub between the machine and the network (effectively cloning the traffic between it and the rest of the world) and put a sniffer on another of those ports. Barring that, ifconfig/ipconfig, netstat would be a good start.
If you ar looking at forensics analysis of what they have on the system at their desk, then your answer could be EnCase Enterprise Edition. It lets you: • Performs a live, network-enabled analysis without interrupting operations • Reach workstations and servers remotely • Uses forensics methodology • Documents the investigation
The reason I suggest something as pricy as Encase is because it preserves your evidence. If oyu try to image the drive on your own, touch the machine, open and close any files or viewers on a alive machine without the proper forensics software, you can and prbably will cause changes to the files and logs fo the machine, thus hurting you in the long run if the case turns legal.
EnCase will make a bit by bit forensics image of the drive, hashed without touching or altering anything on the suspect machine. It prevents any form of writing at all or alterations.
The days of the admin going to the machine and perusing it then imaging it to a drive they have sitting around are long gone considering crime and also potential lawsuits.
Spend the 2K, it is worth it and we have used it from small individual cases up to larger cases in which we are coordinating with local and federal law enforcement on possible political corruption.
If you're looking to collect volatile data only, I've released the Forensic Server Project (FSP) and First Responder Utility (FRU) off of the web site for my book. The FRU available in the my book (updated version is on the web site) works for Windows systems, but the same framework can be ported to other systems. The server runs on Windows, but can also be easily ported.
H. Carvey "Windows Forensics and Incident Recovery"