RE: First Investigation - Need advice
From: Sean Kelly (sean_at_itsecurityconsultants.co.uk)
Date: 03/13/04
- Previous message: Chris Duckers: "RE: Crypto Book Recommendations?"
- In reply to: forensic Helpwanted: "First Investigation - Need advice"
- Next in thread: Ken Keeler: "RE: First Investigation - Need advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <forensichelpwanted@fsmail.net> Date: Fri, 12 Mar 2004 23:21:54 -0000
You would need a filter in between your machine and the machine that you
are interrogating that would only allow read access to the hard drive
and disallow writing to it.
I would also say that the person or persons doing the forensic
investigation would have no relationship to the party ordering the
investigation.
Sean
-----Original Message-----
From: forensic Helpwanted [mailto:forensichelpwanted@fsmail.net]
Sent: 12 March 2004 07:30
To: security-basics@securityfocus.com
Subject: First Investigation - Need advice
Hi
I have been tasked with carrying out a search and seize with the aid of
a court order. I can't ask local law enforcement as it is a civil
matter, but I need a little help and figured this should be a good place
to find it.
I do have some knowledge and experience from when I was studying for the
CISSP exam, I passed, but do not have any forensic hands-on experience.
What I am basically looking for is a list of tools that I can get my
hands on quickly and cheaply, and if possible a checklist or methodology
to work to.
I know this should be left to the experts, but time constraints and
budget mean this is not possible, besides how hard can it be. <g>
We have 2 locations to "raid" simultaneously, so I will be at one site,
and a colleague at another.
The plan thus far is....
Video record everything from entry to the building, to sealing a image
of the machines in question into polythene type bags, and signing over
the top of them. Also, the investigation into the data will be recorded
on video.
Two images will be taken on site, one for sealing in the bag, another as
the "working copy". These will be MD5 checksummed, and the hash
recorded on paper. The sealed copy will go to a secure storage location
for appearance in court, and the working copy used to gather evidence.
The original will be returned to its owner.
Each and every step taken, will be recorded, and witnessed, and signed
off by the person who takes the action, the person who witnesses, and
the person who recorded the activity.
All personnel involved will be available for court dates should it come
to that. But we strongly believe that the required information will be
gained from one of the two locations, and that will be enough for the
"plaintiff" to present to the "defendant" so that a settlement can be
reached.
Have I missed anything fundamental? Are there some other steps I should
take? What tools, methods should be used to gather the images and
interrogate the images when gathered?
Thanks in advance for the help.
FHW
Freeserve AnyTime - HALF PRICE for the first 3 months - Save £7.50 a
month
www.freeserve.com/anytime
------------------------------------------------------------------------
--- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- _______________________________________________ Scanned for all known viruses by Bucks Net in association with NetCleanse. Please consult http://www.bucks.net/av/ for more information. _______________________________________________ Scanned for all known viruses by Bucks Net in association with NetCleanse. Please consult http://www.bucks.net/av/ for more information. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Chris Duckers: "RE: Crypto Book Recommendations?"
- In reply to: forensic Helpwanted: "First Investigation - Need advice"
- Next in thread: Ken Keeler: "RE: First Investigation - Need advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
