RE: CRIME And finally

From: Jim Wood (jwood@private)
Date: Fri Aug 01 2003 - 09:36:39 PDT

  • Next message: Kuo, Jimm: "CRIME New worm on the loos"

    At this time that is the product I am using in Windows,Linux is a
    different story.
    
    I currently process electronic evidence for law enforcement around my
    location.  Winimage has worked fine in the past, and then generating an
    MD5 and comparing it against the original has been admissible in 2
    previous cases I have been involved in. -Always be sure that the lock
    tab is in the locked position before imaging these items!
    
    As far as requirements for evidence; The copy of the hard drive, cd, or
    whatever other media you are processing must be an exact bit by bit copy
    of the original verifiable by MD5 or SHA ( SHA is the preferred now, as
    MD5 has some weaknesses, I am yet to have this challenged by a defense
    attorney in any of my cases, but I do know it  has come up in recent
    cases.)
    
    The purpose of the bit by bit image is to preserve the "snapshot in
    time" of the suspects media involved in the potential crime(s).
    
    There are many aspects to evidence collection and preservation so it
    will be acceptable / admissible as evidence.  There are many
    publications available from the DOJ on this very subject.
    
    Hope that answers some of your question on evidence, if you should need
    more info please feel free to shoot me email
    
    Jim Wood
    Forensic Examiner / President
    MW Technology Group Inc
    
    
    -----Original Message-----
    From: Arthur Strutzenberg [mailto:arthur.strutzenberg@private] 
    Sent: Friday, August 01, 2003 8:26 AM
    To: 'Jim Wood'
    Cc: crime@private
    Subject: RE: CRIME And finally
    
    This may sound crazy...but if these devices are mountable as drives and
    you live in the Windows world, what if you were to use something like
    Winimage to make an exact bit for bit copy of the device?
    
    Not sure on the admissibility of this and this gets to a question I have
    for the group-- what is required to preserve computer evidence,
    especially when you conduct a forensic investigation?
    
    --Arthur Strutzenberg
    
    ------------------------------------------------------
    Arthur Strutzenberg        Swan Island Networks Inc
    
    arthur.strutzenberg@private
    http://www.swanisland.net
    
    (503)-796-7926 (x20)
    ------------------------------------------------------
    
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf
    Of Jim Wood
    Sent: Thursday, July 31, 2003 6:53 PM
    To: crime@private
    Subject: CRIME And finally
    
    Thanks you so much to all of you for your help today with my search for
    MD5 and SHA software.  It is great to have a resource like this where
    everyone is working together for a central cause - ( Kinda communistic
    huh??)
    
    I am looking for advice now on making working copies of media such as
    thumbdrives, flashdrives, SD cards, etc.  I have  a process in place
    that works and is admissible as evidence, but I am open to better
    techniques / software that would simplify this in the future.
    
    JW
    
    Jim Wood
    jwood@private
    MW Technology Group Inc
    
    
    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
     
    
    ---
    Incoming mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
     
    
    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
     
    



    This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 10:05:23 PDT