Hi all,
I need some advice from people on the list in law enforcement and
computer forensics.
I recently have been called in to consult a company in certain situation.
The situation is a disgruntled ex-employee has logged on to a server
and deleted critical files. Including his mailbox and websites on the
webserver.
I told the systems administrator that if they want to proceed legally
against the employee they need to use a tool like Encase to make a
copy of the hard drives, but he is also concerned with recovering the
deleted information.
What other advice would you all give in a situation like this? Especially
for data recovery of the information that was deleted. Also, did I leave anything
out when I advised him of using Encase to secure the hard drive before he goes
any further? Another question I have is does it make a difference that the drives
are a RAID Array? Just from my limited knowledge of Encase you need an exact
copy with the same hardware do you not?
Thanks to all who respond.
Jimmy
================================================
Jimmy Sadri CISSP, CCNP, jimmys@private
CCDA, CSS-1, MCSA, MCSE webmaster@private
Network Engineer jimmys@private
Security Consultant/CBK Instructor 360-992-0525
This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 12:38:47 PST