> While a disk duplication and then work on the dupe is preferred, what is > the legal status with respect to evidence of doing a full backup to tape > (with witnesses, using a standard product, sealing the tape afterwards > appropriately, ..) then working on the original? I'm thinking of the > resources at hand for some of the smaller sites. Well, under Federal Rules of Evidence this is actually the preferred method, especially where logs are concerned (although copies are admissible if made in the regular course of daily business, see FRE 803(6)). However, you'd really need to trust your backup and restore capabilities in order to justify the risk involved in monkeying around on the original disk, or so it seems to me. RGF Robert G. Ferrell, CISSP rferrellat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 07:08:11 PDT