Hi Marian, Great questions, lets put what I have read to the test. My understanding is when coverts take place the examiner brings their own machine. If the machine is off then great. BTW what is the general consensus on what to do if a machine is on? Pull power out, shutdown etc.. A page that documents these items in detail can be found at http://www.securityfocus.com/focus/ih/articles/crimeguide1.html Examiner takes photos how the case is found and the scene so that it can be put in place when finished. Takes screws off case Earth yourself Documents what is inside machine (ram, pci slots, cpu etc..) unplug hard drive (dont have to take it out of drive bay) plug hard drive into examiners machine Image all drives Boot suspect machine without a hard drive plugged in and if possible print what the bios is showing Things you would look for here are current date shown, boot order, size hard drive is shown Put everything back how it was. (Some computer search team have people whom their job is to make sure everything is put back in place exactly how it was found) WARNING - some cases like the dells will record if you take the cover off Yes there are problems with this like what if it has bad sectors and so forth but make sure you document these events. It is important also that you have sufficient case management systems, documentation and your equipment does what you think it does. Eg mounts drives read only. Hope this helps, read the URL it will help you. Btw never had experience, but all is from talking to police, common sense and reading articles on the web. -Daniel At 10:05 AM 22/06/01 +0200, you wrote: >Let?s have real situation: > >Problem: >You have to make image of disk on crime scene. > >You have: >- set of diskettes with well-known forensic tools >- large external storage media (large HDD with parallel port connection) > >Short solution: >- properly connect external storage media to suspected computer >- boot suspected computer form prepared forensic diskette >- run forensic disk imaging tool and make image of disk to external media > >Very nice and simple, but... What it means ?boot suspected computer?? > >Let?s go to detailed description of each step of this ?simple? process: > >- insert diskette to drive A: (in 20% cases it is useless - out of work, >dusty,...) > >- switch on computer (Where is the switch? Is it mechanical or electronic? >...) > >- BIOS is starting... (What is the booting sequence? How you can verify it? >You have to go to BOIS setup and you have only about 5 sec for it! How you >can quickly and securely start BIOS setup? Is BIOS password protected? ...) > >- booting sequence is right and your system is booting from floppy (What >system you have to use? MSDOS, Linux, ...? What version? Are you absolutely >sure about read-only feature of system starting process?) > >- OK, your system correctly started. You have to load device driver to >connect your external HDD. (But parallel port is out of service, or it have >nonstandard INT or address and your diver not identified it. ... What to >do?) > >- OK, you can start your famous forensic disk imaging software with MD5 >feature! > >My question is why we widely discus about safety of disk imaging SW and >questions above are neglected? Where are the great risks? What risk is >greater? >Some may be solved by training, but not all of them. >____________________________________ >Marian Svetlik >Principal Consultant > >Risk Analysis Consultants >Narodni 9, 110 00 Praha 1 >Czech Republic > >Tel.: +420 2 220 75 352 Fax: +420 2 242 28 273 >mail: svetlikat_private http://www.rac.cz
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 19:46:26 PDT