Hi Patrick, Below is an extract from a document which i believe should best describe some bad points about taking only a few files. I can for see some advantages being to collect evidence to obtain greater permission. Also there are big issues about privacy and forensic computing as a computers are used for business and personal uses. Full imaging may not be able to take place. It might be company policy that only the select files are obtained. If you are in a company situation i would encourage you to get written procedures in place for what to do in different events. This way your methods are transparent and should hold up. Of course if you believe that some events are in any way criminal or may go to court i would ask advise from legal personnel such as your police department as they are who you will be working with or even handing the case over to. If you are in a police department i would check your laws and ask a lawyer. It is a problem that the files you extract may not give a complete picture of events that took place. Hope this helps please feel free to ask any further detail or questions either on the list or off. ----------------------------------------Extract-------------------------------------------------- complete - tells within its own terms a complete story of particular set of circumstances or events "But the defence would have argued that the methods used to produce the print-outs of the files upon which the prosecution were relying could not be scrutinised, that this was prejudicial, and that as a result all the evidence derived from Pryce's hard-disk should be excluded" Peter Sommers, 2000, 'Intrusion Detection Systems as Evidence', http://www.bcs.org.uk/lac/ids.htm ------------------------------------------End---------------------------------------------------- -Daniel Heinonen At 09:42 AM 03/07/01 +0100, you wrote: >Before I give my own opinions, has anyone come across the practice of >previewing a drive and then taking off the relevant files rather than doing >a full image. >Does anyone want to comment on the advantages and disadvantages of this >methodology? > >thanks, > >Patrick Beardmore ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 09:19:05 PDT