RE: CRIME Forensic Advice

From: Dorning, Kevin E - DI-3 (kedorning@private)
Date: Thu Feb 27 2003 - 12:29:28 PST

  • Next message: Andrew Plato: "RE: CRIME What security topics interest you?"

    A number if issues to consider
     
    Is this a criminal case of an adminstrative action case?
    Rules of evidence vary depending on which.
     
    1.  Has the administrator stopped all data from being written to the drives concerned.  If data is being written to the drives, and they are heavily used systems, much of what you might recover will be gone/overwritten.
     
    2. Does the Administrator have backups.  The last known full backup media should be pulled out of the rotation and sequestered. This can be as valuable if not more so, than a server drive recoverey
     
    Server drives present a lot of problems in recovery because they tend to be very busy.  A lot of data is written, moved, deleted, overwritten, in a short period of time.
     
    3.  What about the client desktop system.  Encase would be a good tool for this, and the residual data might be better there.  
     
    4.  Encase can be used not only to capture information for a case, but to recover data as well.
     
    You do not need an exact copy of the hardware to revocer/capture with encase, you just need enought storage media space to hold the captured data.  We normally recover to the next larger drive size when possible.
    However, a RAID array can greatly complicate life in this kind of situation.  Since the RAID process stripes data across a number of drives, you would need access to all the drives.  We have never had to deal with a RAID array in a capture situation so I don't really knlw.
    You can contact Encase directly and they will give advice on the best way to proceed.
     
    The first thing that you need to do though is protect those drives so that they can't be overwritten.
     
    Also, don't forget about system Audit Logs.  Hopefully, they had them turned on, and you can still get that information.  
     
    K.D>
     
     
    
    -----Original Message-----
    From: Jimmy Sadri [mailto:jimmys@private]
    Sent: Thursday, February 27, 2003 11:46 AM
    To: crime@private
    Subject: CRIME Forensic Advice
    
    
    Hi all,
     
        I need some advice from people on the list in law enforcement and
    computer forensics. 
    I recently have been called in to consult a company in certain situation.
    The situation is a disgruntled ex-employee has logged on to a server
    and deleted critical files.  Including his mailbox and websites on the 
    webserver.  
        I told the systems administrator that if they want to proceed legally
    against the employee they need to use a tool like Encase to make a 
    copy of the hard drives, but he is also concerned with recovering the 
    deleted information.  
        What other advice would you all give in a situation like this?  Especially
    for data recovery of the information that was deleted.  Also, did I leave anything
    out when I advised him of using Encase to secure the hard drive before he goes
    any further?  Another question I have is does it make a difference that the drives 
    are a RAID Array?  Just from my limited knowledge of Encase you need an exact
    copy with the same hardware do you not?
     
    Thanks to all who respond.
     
    Jimmy
     
     
    ================================================
    Jimmy Sadri  CISSP, CCNP,       jimmys@private <mailto:jimmys@private> 
    CCDA,  CSS-1, MCSA, MCSE     webmaster@private <mailto:webmaster@private> 
    Network Engineer  jimmys@private <mailto:jimmys@private> 
    Security Consultant/CBK Instructor  360-992-0525
    



    This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 13:24:02 PST