RE: boobytraps

From: Ramsey, Shafer (EASD, IT) (Shafer.Ramseyat_private)
Date: Fri Nov 30 2001 - 04:45:37 PST

Next message: Holmes, Ben: "RE: boobytraps"

Previous message: Steven Wood: "RE: boobytraps"
Maybe in reply to: Darren Welch: "boobytraps"
Next in thread: Holmes, Ben: "RE: boobytraps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>Note that for *some* booby traps, "pulling the
>>plug" may be the *wrong* thing
>>to do, and result in the loss of the evidence.  

>Excellent point.  There is a lot of volatile data
>that disappears when a system is powered
>down...and would be extremely useful in a case.

The alternative though is troublesome.  If you don't create the chain of
evidence and establish your control over that evidence instantly then any
forensic work you perform won't stand up in court.  With the HD set in a
state other than read-only the HD is by definition open to alteration.  That
of course means that when you go to testify in court and the defense asks if
there was any chance the files on the HD were altered in any way by your
actions, you have to answer yes.  And the case gets thrown out, because no
one can be completely sure who put what files on the HD.

So, computer forensic investigators are in a catch 22.  If you don't power
off the HD and bring it back up in a read-only state, your evidence will
always be suspect and any decent lawyer will rip it to shreds.   But, if you
do power off the HD, and that drive is encrypted, then you'll loose all of
your evidence without some very advance tools to read the ghost trails left
in powered off RAM (which is so close to science fiction that we might as
well just call it that).  


This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential or privileged 
information. If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited. If 
you are not the intended recipient, please notify the sender 
immediately by return email and delete this communication and destroy all copies.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Holmes, Ben: "RE: boobytraps"
Previous message: Steven Wood: "RE: boobytraps"
Maybe in reply to: Darren Welch: "boobytraps"
Next in thread: Holmes, Ben: "RE: boobytraps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 05:05:33 PST