Re: Preserving evidence

From: Meritt James (meritt_jamesat_private)
Date: Fri May 03 2002 - 07:09:43 PDT

Next message: Christopher L Brown: "RE: Preserving evidence"

Previous message: Craig Billado: "Re: Preserving evidence"
In reply to: Craig Billado: "Re: Preserving evidence"
Next in thread: Christopher L Brown: "RE: Preserving evidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oh, I know what SHOULD be done.  But I'm thinking of those poor sites
who's main server has been whacked and there is no way that they could
take that system off-line for business reasons, or have another system
that it could be duplicated on.

JIm

Craig Billado wrote:
> 
> James,
> 
> The courts will expect an investigator to follow industry "best practices."
> This often translates to the IACIS method of computer forensic
> investigation. The IACIS method allows for a limited examination of
> original media (e.g., it is hardly feasible to duplicate several terabytes
> of evidence from a RAID 5 array). This is, of course, an exception to the
> rule. If it is feasible for you to duplicate a drive and work on the copy,
> you wouldn't have much ground to stand on should you do otherwise.
> 
> Sincerely,
> 
> Craig L. Billado, CISSP
> Ethical Hacker -- IBM Global Services
> Office:  (303) 924-4336
> Mobile:  (303) 641-4719
> 
> 
>                       "Meritt James"
>                       <meritt_james@bah        To:
>                       .com>                    cc:       FORENSICSat_private
>                                                Subject:  Preserving evidence
>                       05/03/2002 07:05
>                       AM
> 
> 
> 
> While a disk duplication and then work on the dupe is preferred, what is
> the legal status with respect to evidence of doing a full backup to tape
> (with witnesses, using a standard product, sealing the tape afterwards
> appropriately, ..) then working on the original?  I'm thinking of the
> resources at hand for some of the smaller sites.
> 
> Alternatives?
> --
> James W. Meritt CISSP, CISA
> Booz | Allen | Hamilton
> phone: (410) 684-6566
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Christopher L Brown: "RE: Preserving evidence"
Previous message: Craig Billado: "Re: Preserving evidence"
In reply to: Craig Billado: "Re: Preserving evidence"
Next in thread: Christopher L Brown: "RE: Preserving evidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 03 2002 - 07:15:29 PDT