Re: Preview in Encase (or other package) rather than image

From: daniel heinonen (d.heinonenat_private)
Date: Tue Jul 03 2001 - 16:53:25 PDT

Next message: daniel heinonen: "Re: File times?"

Previous message: David Douthitt: "Re: wipe utilities"
In reply to: pat.beardmoreat_private: "Preview in Encase (or other package) rather than image"
Next in thread: Andrew Sheldon: "Re: Preview in Encase (or other package) rather than image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Patrick,

Below is an extract from a document which i believe should best describe 
some bad points about taking only a few files.  I can for see some 
advantages being to collect evidence to obtain greater permission.  Also 
there are big issues about privacy and forensic computing as a computers 
are used for business and personal uses.  Full imaging may not be able to 
take place.  It might be company policy that only the select files are 
obtained.

If you are in a company situation i would encourage you to get written 
procedures in place for what to do in different events.  This way your 
methods are transparent and should hold up.  Of course if you believe that 
some events are in any way criminal or may go to court i would ask advise 
from legal personnel such as your police department as they are who you 
will be working with or even handing the case over to.

If you are in a police department i would check your laws and ask a lawyer. 
It is a problem that the files you extract may not give a complete picture 
of events that took place.

Hope this helps please feel free to ask any further detail or questions 
either on the list or off.

----------------------------------------Extract--------------------------------------------------

complete - tells within its own terms a complete story of particular set of 
circumstances or events

"But the defence would have argued that the methods used to produce the 
print-outs of the files upon which the prosecution were relying could not 
be scrutinised,  that this was prejudicial, and that as a result all the 
evidence derived from Pryce's hard-disk should be excluded"

Peter Sommers, 2000, 'Intrusion Detection Systems as Evidence', 
http://www.bcs.org.uk/lac/ids.htm

------------------------------------------End----------------------------------------------------

-Daniel Heinonen

At 09:42 AM 03/07/01 +0100, you wrote:
>Before I give my own opinions, has anyone come across the practice of
>previewing a drive and then taking off the relevant files rather than doing
>a full image.
>Does anyone want to comment on the advantages and disadvantages of this
>methodology?
>
>thanks,
>
>Patrick Beardmore

-----------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: daniel heinonen: "Re: File times?"
Previous message: David Douthitt: "Re: wipe utilities"
In reply to: pat.beardmoreat_private: "Preview in Encase (or other package) rather than image"
Next in thread: Andrew Sheldon: "Re: Preview in Encase (or other package) rather than image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 09:19:05 PDT