About  

“UNIX was not designed to be learned; UNIX was designed to be used.

In other words, it can be confusing and time-consuming to learn UNIX.

However, once you have mastered the skills you need, for whatever work you want to do, working with Unix is fast and easy.”-  Harley Hahn

 

 

About
News
Download
Poor Man's Install
Feedback

What is SPADA?

SPADA stands for System Preview And Data Acquisition (No 1 was a proof of concept and was not meant for general release, though many members of IACIS have used it with good results).  SPADA-2 was released at the 2004 conference for general use by the IACIS membership. SPADA-3 was the beta release for the 2005 conference but before release I adopted a new naming scheme, naming is now just SPADA and referenced by date of production which is stored as the volume ID of the CD.  For example at the time of writing the current release is SPADA-22-Feb-05.

 SPADA is based on a modified version of Knoppix, which inturn is based on Debian Linux. So in a round-about way SPADA is Debian Linux. The modifications made to SPADA allow you to mount, preview and acquire data from a suspect computer that has been booted with the CD directly or indirectly via a floppy. This is done in a forensically secure way without additional hardware like write-blockers  i.e. no writes will be made to the suspect’s hard drive.

  (NOTE: Software Raids are not protected from low level writes for example fdisk, high level writes are protected i.e. deleting a file or file date-stamp changes on mounted file system)

What SPADA is not:

SPADA is not an all inclusive automated examination tool like the popular windows forensic suites.  Though it contains the necessary tools to make an examination, such as the built in Linux utilities or the add-ons such as autopsy & @stake TASK, it is not intended for this purpose for the average user.

 Goals:  

The goal of SPADA was to make a disk that could be used in the field to preview and/or acquire a forensic copy of data for evidence and later analysis :-

·        Where Prima facie evidence was required before seizure.

·        Where file copies of evidence would suffice.

·        Where limited searches are only approved e.g. consent or knock & talks.

·        Where in the field imaging was required.

·        Any other situation where time and or seizure was a problem.

 

Last modified: 20-Sep-2006