It actually depends on the motions that are filed with the court, in some cases, full disclosure of the logical files may not be requested. Printed versions of emails may or may not be used, depending on the the type of case that is being viewed. Nothing really increases court confidence, it really depends on how money either of the party has to spend on litigation. To answer the other question: The documented policy and procedure on chain of evidence handling and how a full image of digital media is done is very crucial. In some cases, worksheets indicating who, where, what, and time when evidence was passed is also essential. Some organizations at one time or another used labels, and scratched initials on drives they were handling. In those cases, how the evidence was handled was highly questionable and thus the evidence attained could not be used because properly documented policy and procedures were not done. A security consultant should always follow the policies and procedures established by their organization in evidence handling, although most organizations are still in the process of formulating and standardizing their process /mark.. At 09:15 AM 7/3/2001 -0700, Matthew.Brownat_private wrote: >Pat > > I've heard success stories from members of this community that >have done their time in court on the admittance of logical files and/or >printed versions of such files, usually emails. But, in the development >of standards we have gotten away from logical file approaches in favor of >processes that allow for repeatability. A full image increases court >confidence and can help if opposing counsel challenges your handling >methods. > > I am confident that a large percentage of the members on this list >will agree that chain of evidence handling and a full image of digital >media are key in a national and international standard. > >Thanks, >Matthew Brown, CISSP > > > > > > >pat.beardmoreat_private >07/03/2001 01:42 AM > > > To: forensicsat_private > cc: > Subject: Preview in Encase (or other package) rather than > image > > >Before I give my own opinions, has anyone come across the practice of >previewing a drive and then taking off the relevant files rather than >doing >a full image. >Does anyone want to comment on the advantages and disadvantages of this >methodology? > >thanks, > >Patrick Beardmore > > >----------------------------------------------------------------- > >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: > >http://aris.securityfocus.com > > > > > > > >----------------------------------------------------------------- > >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: > >http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 09:48:10 PDT