James, Understanding that you would lose all slack space by this process and only be preserving "files" your procedure is sound. Most expert witnesses could easily defend the files themselves if the physical chain of custody, as well as good documentation of procedures was maintained. The burden you have added with your procedure is the added "non-standard" steps and equipment involved for analysis and presentation. This opens up avenues of attack on your methodology. Summary The procedure seems sound and could be defended, but I would only use if I had to. Thanks, Christopher L. T. Brown Technology Pathways LLC clbrownat_private Phone: 619-435-0906 http://www.TechPathways.com --------------------------- PGP FP: 0731 B5B1 A9B1 8D85 E7FC F14A B5D2 FDCF 5CBD A4AE > -----Original Message----- > From: Christopher L. T. Brown > [mailto:clbrownat_private] On Behalf Of Meritt James > Sent: Friday, May 03, 2002 6:39 AM > To: kushtakaat_private > Subject: Preserving evidence > > > While a disk duplication and then work on the dupe is > preferred, what is > the legal status with respect to evidence of doing a full > backup to tape > (with witnesses, using a standard product, sealing the tape afterwards > appropriately, ..) then working on the original? I'm thinking of the > resources at hand for some of the smaller sites. > > Alternatives? > -- > James W. Meritt CISSP, CISA > Booz | Allen | Hamilton > phone: (410) 684-6566 > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 07:16:52 PDT