Something to remember: methodology is only half the battle. Keeping a proper chain of evidence is just as critical. I don't care how badly you screw up the forensic examination, as long as you do not damage the original, or lose the chain of evidence we can always take another shot at the examination, hire someone else, etc. But if the chain of evidence is contaminated or the original is damaged we are SOL and no amount of technical wizardry will make a difference, a court will not accept it (although you can probably use it for out of court things like scaring the guilty party into admission/etc.). Also important to remember: are you acting as an agent for the police, if yes the rules change a lot (like you may need to get a warrant to examine the computer, even if your company owns it), so when/how you bring the police in is an important choice. Talk to your legal counsel as always. Peace out. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.idefense.com/digest.html ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 05:05:18 PST