James,
The courts will expect an investigator to follow industry "best practices."
This often translates to the IACIS method of computer forensic
investigation. The IACIS method allows for a limited examination of
original media (e.g., it is hardly feasible to duplicate several terabytes
of evidence from a RAID 5 array). This is, of course, an exception to the
rule. If it is feasible for you to duplicate a drive and work on the copy,
you wouldn't have much ground to stand on should you do otherwise.
Sincerely,
Craig L. Billado, CISSP
Ethical Hacker -- IBM Global Services
Office: (303) 924-4336
Mobile: (303) 641-4719
"Meritt James"
<meritt_james@bah To:
.com> cc: FORENSICSat_private
Subject: Preserving evidence
05/03/2002 07:05
AM
While a disk duplication and then work on the dupe is preferred, what is
the legal status with respect to evidence of doing a full backup to tape
(with witnesses, using a standard product, sealing the tape afterwards
appropriately, ..) then working on the original? I'm thinking of the
resources at hand for some of the smaller sites.
Alternatives?
--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 07:10:50 PDT