RE: Preserving evidence

From: George M. Garner Jr. (gmgarnerat_private)
Date: Sat May 04 2002 - 21:26:21 PDT

Next message: adamat_private: "Re: Preserving evidence"

Previous message: crazytrain.com: "Re: Preserving evidence"
In reply to: crazytrain.com: "Re: Preserving evidence"
Next in thread: adamat_private: "Re: Preserving evidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Perhaps the original poster should clarify the operating system in use
at these "poor sites who's main server has been whacked and there is no
way that they could take that system off-line for business reasons, or
have another system that it could be duplicated on."  Many of the
recommendations in this thread are operating system specific or assume
that the system can be taken down (contrary to premise).  

Regards,

George.

-----Original Message-----
From: crazytrain.com [mailto:subscribeat_private] 
Sent: Saturday, May 04, 2002 4:49 PM
To: Meritt James; FORENSICSat_private
Subject: Re: Preserving evidence

James

this is where using a bootable data forensics cd would help you . . .
have
all your tools on the cd (or multiples), pop in the cd, make sure it's
set
to boot from CD-ROM first, and boot it from there.  You can then mount
all
the drives RO and work without touching the evidence.

If this were a running RAID system and depending upon circumstances I
would
pop in my statically linked binariries CD, mount the CD, and do a 'safe
analysis' on the running box from my trusted sources, logging as I go. 
There are many variables though, so it depends on your particular
situation.

farmerdude



> While a disk duplication and then work on the dupe is preferred, what
is
> the legal status with respect to evidence of doing a full backup to
tape
> (with witnesses, using a standard product, sealing the tape afterwards
> appropriately, ..) then working on the original?  I'm thinking of the
> resources at hand for some of the smaller sites.
> 
> Alternatives?
> -- 
> James W. Meritt CISSP, CISA
> Booz | Allen | Hamilton
> phone: (410) 684-6566
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: adamat_private: "Re: Preserving evidence"
Previous message: crazytrain.com: "Re: Preserving evidence"
In reply to: crazytrain.com: "Re: Preserving evidence"
Next in thread: adamat_private: "Re: Preserving evidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 06 2002 - 06:21:34 PDT