Pat: There are pro's and con's to the concept of previewing and copying off, but I would never suggest using it instead of imaging. I must caveat this by saying that this is only a theory - not something that I've ever used in anger - primarily because we don't (yet...) have EnCase. The main side that I can see being an advantage is during the execution of civil Search and Seize orders in England and Wales where you are searching the house/offices for relevant information, both paper based and electronic. If you preview and copy off the files from the target computer you may get extra evidence that enables you to identify and seize additional paper based material from the premises as it can be shown to be relevant to the case - given the link from electronic documents - a link that may not have been possible to make without the electronic documents. However, saying this, I would sill unequivocally advocate taking an image of the computer in question AFTER you have previewed and identified etc. You are only using the preview option to get rapid results that would lead you to new evidence. In my experience with the execution of English civil Search and Seize orders you NEVER have the opportunity to image, restore, and examine a target machine on site. The disadvantage of this method is that if you do this and do not immediately identify any relevant documents you may not be allowed to image the machine in question (as you have shown that it doesn't contain relevant material). Thus you end up shooting yourself in the foot. Just my 2 cents.....(personal opinion not company opinion etc etc) Craig pat.beardmoreat_private wrote: > Before I give my own opinions, has anyone come across the practice of > previewing a drive and then taking off the relevant files rather than doing > a full image. > Does anyone want to comment on the advantages and disadvantages of this > methodology? > > thanks, > > Patrick Beardmore > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 13:57:28 PDT