BTW i did send this on the 25th and didn't seem to go through sorry if it gets double posted. Hi Marian, Great questions, lets put what I have read to the test. My understanding is when coverts take place the examiner brings their own machine. If the machine is off then great. BTW what is the general consensus on what to do if a machine is on? Pull power out, shutdown etc.. A page that documents these items in detail can be found at http://www.securityfocus.com/focus/ih/articles/crimeguide1.html Examiner takes photos how the case is found and the scene so that it can be put in place when finished. Takes screws off case Earth yourself Documents what is inside machine (ram, pci slots, cpu etc..) unplug hard drive (dont have to take it out of drive bay) plug hard drive into examiners machine Image all drives Boot suspect machine without a hard drive plugged in and if possible print what the bios is showing Things you would look for here are current date shown, boot order, size hard drive is shown Put everything back how it was. (Some computer search team have people whom their job is to make sure everything is put back in place exactly how it was found) WARNING - some cases like the dells will record if you take the cover off Yes there are problems with this like what if it has bad sectors and so forth but make sure you document these events. It is important also that you have sufficient case management systems, documentation and your equipment does what you think it does. Eg mounts drives read only. Hope this helps, read the URL it will help you. Btw never had experience, but all is from talking to police, common sense and reading articles on the web. -Daniel At 10:05 AM 22/06/01 +0200, you wrote: >Let?s have real situation: > >Problem: >You have to make image of disk on crime scene. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 15:49:23 PDT