RE: CRIME Forensic Advice

From: St. Clair, James (JStClair@private)
Date: Thu Feb 27 2003 - 12:54:48 PST

  • Next message: edsando@private: "Re: CRIME Forensic Advice for RAID"

    Jimmy,
     
    Kevin is correct. For a real quick reference on good guidelines, from the
    legal perspective, for to www.cybercrime.gov <http://www.cybercrime.gov> .
    In particular, get the handbook available for searching and seizing computer
    evidence. A great reference.
     
    Jim
    
    -----Original Message-----
    From: Dorning, Kevin E - DI-3 [mailto:kedorning@private]
    Sent: Thursday, February 27, 2003 3:29 PM
    To: 'Jimmy Sadri'; crime@private
    Subject: RE: CRIME Forensic Advice
    
    
    A number if issues to consider
     
    Is this a criminal case of an adminstrative action case?
    Rules of evidence vary depending on which.
     
    1.  Has the administrator stopped all data from being written to the drives
    concerned.  If data is being written to the drives, and they are heavily
    used systems, much of what you might recover will be gone/overwritten.
     
    2. Does the Administrator have backups.  The last known full backup media
    should be pulled out of the rotation and sequestered. This can be as
    valuable if not more so, than a server drive recoverey
     
    Server drives present a lot of problems in recovery because they tend to be
    very busy.  A lot of data is written, moved, deleted, overwritten, in a
    short period of time.
     
    3.  What about the client desktop system.  Encase would be a good tool for
    this, and the residual data might be better there.  
     
    4.  Encase can be used not only to capture information for a case, but to
    recover data as well.
     
    You do not need an exact copy of the hardware to revocer/capture with
    encase, you just need enought storage media space to hold the captured data.
    We normally recover to the next larger drive size when possible.
    However, a RAID array can greatly complicate life in this kind of situation.
    Since the RAID process stripes data across a number of drives, you would
    need access to all the drives.  We have never had to deal with a RAID array
    in a capture situation so I don't really knlw.
    You can contact Encase directly and they will give advice on the best way to
    proceed.
     
    The first thing that you need to do though is protect those drives so that
    they can't be overwritten.
     
    Also, don't forget about system Audit Logs.  Hopefully, they had them turned
    on, and you can still get that information.  
     
    K.D>
     
     
    
    -----Original Message-----
    From: Jimmy Sadri [mailto:jimmys@private]
    Sent: Thursday, February 27, 2003 11:46 AM
    To: crime@private
    Subject: CRIME Forensic Advice
    
    
    Hi all,
     
        I need some advice from people on the list in law enforcement and
    computer forensics. 
    I recently have been called in to consult a company in certain situation.
    The situation is a disgruntled ex-employee has logged on to a server
    and deleted critical files.  Including his mailbox and websites on the 
    webserver.  
        I told the systems administrator that if they want to proceed legally
    against the employee they need to use a tool like Encase to make a 
    copy of the hard drives, but he is also concerned with recovering the 
    deleted information.  
        What other advice would you all give in a situation like this?
    Especially
    for data recovery of the information that was deleted.  Also, did I leave
    anything
    out when I advised him of using Encase to secure the hard drive before he
    goes
    any further?  Another question I have is does it make a difference that the
    drives 
    are a RAID Array?  Just from my limited knowledge of Encase you need an
    exact
    copy with the same hardware do you not?
     
    Thanks to all who respond.
     
    Jimmy
     
     
    ================================================
    Jimmy Sadri  CISSP, CCNP,       jimmys@private <mailto:jimmys@private> 
    CCDA,  CSS-1, MCSA, MCSE     webmaster@private
    <mailto:webmaster@private> 
    Network Engineer  jimmys@private
    <mailto:jimmys@private> 
    Security Consultant/CBK Instructor  360-992-0525
    



    This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 13:17:01 PST