James, It depends.. The first question should be -- what evidence are you trying to preserve, and for what purpose? Upon that answer, Almost everything else will depend. If the evidence in question is a log or journal file, where The system is not so much a party to the incident -- being Neither a tool/aggressor of a crime, a victim of a crime; but Rather a auditing mechanism which witnessed the crime -- then The method you describe may be appropriate. If, however, the system is the target of an attack, Or was used as a tool by a suspected perpetrator Of a crime, or was itself a victim of an attack -- Then you risk loosing critical information. Information, That any good defense attorney would claim could have been Exculpatory in nature. Just as a for instance, using Microsoft backup to backup A system of an individual who was found to be downloading Pornography during work. This method would not pick up the slack space of files, The unallocated portions of the drive (which could House deleted or hidden materials), and could fail To preserve the 'last access' times. In this situation, it could be claimed by the accused that A 'trojan' was responsible for the downloads, and that This 'trojan' was found by the accused and removed -- But that the 'accused' did not remove the pornography That the trojan downloaded because the 'accused' did Not know of the pornography. Preposterous? With out the drive, one would be hard Pressed to refute this or other claims. One can Not check the last access times to find out That the 'accused' was viewing the pornography During lunch the day the system was sized, or Even search for evidence of a trojan. So, to answer your question.. I give the typical Answer of "it depends.." :) --Tim Tim Lawless, CISSP EDS GIAS Computer Investigations and Analysis * Tim.Lawlessat_private
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 06:24:18 PDT