A number if issues to consider
Is this a criminal case of an adminstrative action case?
Rules of evidence vary depending on which.
1. Has the administrator stopped all data from being written to the drives concerned. If data is being written to the drives, and they are heavily used systems, much of what you might recover will be gone/overwritten.
2. Does the Administrator have backups. The last known full backup media should be pulled out of the rotation and sequestered. This can be as valuable if not more so, than a server drive recoverey
Server drives present a lot of problems in recovery because they tend to be very busy. A lot of data is written, moved, deleted, overwritten, in a short period of time.
3. What about the client desktop system. Encase would be a good tool for this, and the residual data might be better there.
4. Encase can be used not only to capture information for a case, but to recover data as well.
You do not need an exact copy of the hardware to revocer/capture with encase, you just need enought storage media space to hold the captured data. We normally recover to the next larger drive size when possible.
However, a RAID array can greatly complicate life in this kind of situation. Since the RAID process stripes data across a number of drives, you would need access to all the drives. We have never had to deal with a RAID array in a capture situation so I don't really knlw.
You can contact Encase directly and they will give advice on the best way to proceed.
The first thing that you need to do though is protect those drives so that they can't be overwritten.
Also, don't forget about system Audit Logs. Hopefully, they had them turned on, and you can still get that information.
K.D>
-----Original Message-----
From: Jimmy Sadri [mailto:jimmys@private]
Sent: Thursday, February 27, 2003 11:46 AM
To: crime@private
Subject: CRIME Forensic Advice
Hi all,
I need some advice from people on the list in law enforcement and
computer forensics.
I recently have been called in to consult a company in certain situation.
The situation is a disgruntled ex-employee has logged on to a server
and deleted critical files. Including his mailbox and websites on the
webserver.
I told the systems administrator that if they want to proceed legally
against the employee they need to use a tool like Encase to make a
copy of the hard drives, but he is also concerned with recovering the
deleted information.
What other advice would you all give in a situation like this? Especially
for data recovery of the information that was deleted. Also, did I leave anything
out when I advised him of using Encase to secure the hard drive before he goes
any further? Another question I have is does it make a difference that the drives
are a RAID Array? Just from my limited knowledge of Encase you need an exact
copy with the same hardware do you not?
Thanks to all who respond.
Jimmy
================================================
Jimmy Sadri CISSP, CCNP, jimmys@private <mailto:jimmys@private>
CCDA, CSS-1, MCSA, MCSE webmaster@private <mailto:webmaster@private>
Network Engineer jimmys@private <mailto:jimmys@private>
Security Consultant/CBK Instructor 360-992-0525
This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 13:24:02 PST