Re: Where are greater risks?

From: daniel heinonen (d.heinonenat_private)
Date: Wed Jun 27 2001 - 22:42:05 PDT

Next message: Dan Jones: "Re: Where are greater risks?"

Previous message: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Maybe in reply to: svetlikat_private: "Where are greater risks?"
Next in thread: svetlikat_private: "Re: Where are greater risks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

BTW i did send this on the 25th and didn't seem to go through sorry if it 
gets double posted.

Hi Marian,

Great questions, lets put what I have read to the test. My understanding is 
when coverts take place the examiner brings their own machine.  If the 
machine is off then great.

BTW what is the general consensus on what to do if a machine is on? Pull 
power out, shutdown etc..

A page that documents these items in detail can be found at
http://www.securityfocus.com/focus/ih/articles/crimeguide1.html

Examiner takes photos how the case is found and the scene so that it can be 
put in place when finished.
Takes screws off case
Earth yourself
Documents what is inside machine (ram, pci slots, cpu etc..)
unplug hard drive (dont have to take it out of drive bay)
plug hard drive into examiners machine
Image all drives
Boot suspect machine without a hard drive plugged in and if possible print 
what the bios is showing
Things you would look for here are current date shown, boot order, size 
hard drive is shown
Put everything back how it was. (Some computer search team have people whom 
their job is to make sure
everything is put back in place exactly how it was found)

WARNING - some cases like the dells will record if you take the cover off

Yes there are problems with this like what if it has bad sectors and so 
forth but make sure you document
these events.

It is important also that you have sufficient case management systems, 
documentation and your equipment does
what you think it does. Eg mounts drives read only.

Hope this helps, read the URL it will help you.

Btw never had experience, but all is from talking to police, common sense 
and reading articles on the web.

-Daniel

At 10:05 AM 22/06/01 +0200, you wrote:
>Let?s have real situation:
>
>Problem:
>You have to make image of disk on crime scene.

-----------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Dan Jones: "Re: Where are greater risks?"
Previous message: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Maybe in reply to: svetlikat_private: "Where are greater risks?"
Next in thread: svetlikat_private: "Re: Where are greater risks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 15:49:23 PDT