Re: Preview in Encase (or other package) rather than image

From: Craig Earnshaw (Craig.Earnshawat_private)
Date: Tue Jul 03 2001 - 07:33:05 PDT

Next message: Matthew.Brownat_private: "Re: Preview in Encase (or other package) rather than image"

Previous message: pat.beardmoreat_private: "Preview in Encase (or other package) rather than image"
In reply to: pat.beardmoreat_private: "Preview in Encase (or other package) rather than image"
Next in thread: Matthew.Brownat_private: "Re: Preview in Encase (or other package) rather than image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pat:

There are pro's and con's to the concept of previewing and copying off, but I
would never suggest using it instead of imaging.

I must caveat this by saying that this is only a theory - not something that
I've ever used in anger - primarily because we don't (yet...) have EnCase.

The main side that I can see being an advantage is during the execution of
civil Search and Seize orders in England and Wales where you are searching the
house/offices for relevant information, both paper based and electronic.  If
you preview and copy off the files from the target computer you may get extra
evidence that enables you to identify and seize additional paper based material
from the premises as it can be shown to be relevant to the case - given the
link from electronic documents - a link that may not have been possible to make
without the electronic documents.

However, saying this, I would sill unequivocally advocate taking an image of
the computer in question AFTER you have previewed and identified etc.  You are
only using the preview option to get rapid results that would lead you to new
evidence.  In my experience with the execution of English civil Search and
Seize orders you NEVER have the opportunity to image, restore, and examine a
target machine on site.

The disadvantage of this method is that if you do this and do not immediately
identify any relevant documents you may not be allowed to image the machine in
question (as you have shown that it doesn't contain relevant material).  Thus
you end up shooting yourself in the foot.

Just my 2 cents.....(personal opinion not company opinion etc etc)

Craig

pat.beardmoreat_private wrote:

> Before I give my own opinions, has anyone come across the practice of
> previewing a drive and then taking off the relevant files rather than doing
> a full image.
> Does anyone want to comment on the advantages and disadvantages of this
> methodology?
>
> thanks,
>
> Patrick Beardmore
>
> -----------------------------------------------------------------
>
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
>
> http://aris.securityfocus.com

-----------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Matthew.Brownat_private: "Re: Preview in Encase (or other package) rather than image"
Previous message: pat.beardmoreat_private: "Preview in Encase (or other package) rather than image"
In reply to: pat.beardmoreat_private: "Preview in Encase (or other package) rather than image"
Next in thread: Matthew.Brownat_private: "Re: Preview in Encase (or other package) rather than image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 13:57:28 PDT