James this is where using a bootable data forensics cd would help you . . . have all your tools on the cd (or multiples), pop in the cd, make sure it's set to boot from CD-ROM first, and boot it from there. You can then mount all the drives RO and work without touching the evidence. If this were a running RAID system and depending upon circumstances I would pop in my statically linked binariries CD, mount the CD, and do a 'safe analysis' on the running box from my trusted sources, logging as I go. There are many variables though, so it depends on your particular situation. farmerdude > While a disk duplication and then work on the dupe is preferred, what is > the legal status with respect to evidence of doing a full backup to tape > (with witnesses, using a standard product, sealing the tape afterwards > appropriately, ..) then working on the original? I'm thinking of the > resources at hand for some of the smaller sites. > > Alternatives? > -- > James W. Meritt CISSP, CISA > Booz | Allen | Hamilton > phone: (410) 684-6566 > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat May 04 2002 - 19:27:56 PDT