RE: First Investigation - Need advice

• Previous message: Burton M. Strauss III: "RE: FW: Legal? Road Runner proactive scanning.[Scanned]"
• In reply to: forensic Helpwanted: "First Investigation - Need advice"
• Next in thread: Sean Kelly: "RE: First Investigation - Need advice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <forensichelpwanted@fsmail.net>, <security-basics@securityfocus.com>
Date: Sun, 14 Mar 2004 11:51:00 +0530

> I have been tasked with carrying out a search and seize with the
> aid of a court order. I can't ask local law enforcement as it is
> a civil matter, but I need a little help and figured this should
> be a good place to find it.

security basics is not a good place for this / try the foriencs list they are very good at this

> I do have some knowledge and experience from when I was studying
> for the CISSP exam, I passed, but do not have any forensic
> hands-on experience.
>

that would help you a lot in what you are doing
 
> What I am basically looking for is a list of tools that I can get
> my hands on quickly and cheaply, and if possible a checklist or
> methodology to work to.
>

ask on the foreincs list,
the cheapest tools are ( i am understanding that you will be using ) linux because it is the most flexible system for these sorts of tasks

> I know this should be left to the experts, but time constraints
> and budget mean this is not possible, besides how hard can it be. <g>

it's not very hard if you know what you are doing, besides if your case is handled by a law enforcement official it will hold up in court as this is a lawsuit a small mistake can simply invalidate all your evidence .... please do call expert consultants if you want

>
>
> We have 2 locations to "raid" simultaneously, so I will be at one
> site, and a colleague at another.
>

>
> The plan thus far is....
>
>
>
> Video record everything from entry to the building, to sealing a
> image of the machines in question into polythene type bags, and
> signing over the top of them. Also, the investigation into the
> data will be recorded on video.
>
>

and keep one of the signed copy at some safebox which can be used for verifying the authicity of the proof that you have in your hand

>
> Two images will be taken on site, one for sealing in the bag,
> another as the "working copy". These will be MD5 checksummed,
> and the hash recorded on paper. The sealed copy will go to a
> secure storage location for appearance in court, and the working
> copy used to gather evidence. The original will be returned to its owner.
>

that is a good idea.....

>
> Each and every step taken, will be recorded, and witnessed, and
> signed off by the person who takes the action, the person who
> witnesses, and the person who recorded the activity.
>
>

have 2 witness for safty

>
> All personnel involved will be available for court dates should
> it come to that. But we strongly believe that the required
> information will be gained from one of the two locations, and
> that will be enough for the "plaintiff" to present to the
> "defendant" so that a settlement can be reached.
>
>
best of luck in your investigation

> Have I missed anything fundamental? Are there some other steps I
> should take? What tools, methods should be used to gather the
> images and interrogate the images when gathered?
>

the tools used to analysed the images depends how big your images are,what are u are trying to look for: my personal preference is encase or on linux there is a tools called lazurus

>
>
> Thanks in advance for the help.
>
>
>

hope that was helpful

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Burton M. Strauss III: "RE: FW: Legal? Road Runner proactive scanning.[Scanned]"
• In reply to: forensic Helpwanted: "First Investigation - Need advice"
• Next in thread: Sean Kelly: "RE: First Investigation - Need advice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]