RE: Preserving evidence

From: Jeff Truedson (jtruedsonat_private)
Date: Mon May 06 2002 - 08:52:06 PDT

Next message: Hunter Ely: "Server with RAID-5"

Previous message: Hudak, Tyler: "RE: Preserving evidence"
In reply to: Hudak, Tyler: "RE: Preserving evidence"
Next in thread: Bojan Zdravkovic: "RE: Preserving evidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

*********************
"When copying a disk to another disk, a checksum of the destination disk
will nearly always result in a different value than a checksum of the
original disk, even when using the -IR switch. This difference is due to
differences in disk geometry between the source and destination disks."
********************

The information above came from Symantec's knowledge base.  Has anyone
found this to be a problem in Court?  

TIA
Jeff

-----Original Message-----
From: Hudak, Tyler [mailto:Tyler.Hudakat_private] 
Sent: Monday, May 06, 2002 7:36 AM
To: FORENSICSat_private
Subject: RE: Preserving evidence

What about using something like Norton Ghost and saving the ghost image
to a
CD or DVD or something along those lines?  As long as the physical chain
of
custody was kept of course.

Tyler

-----Original Message-----
From: Meritt James [mailto:meritt_jamesat_private]
Sent: Friday, May 03, 2002 9:05 AM
Cc: FORENSICSat_private
Subject: Preserving evidence


While a disk duplication and then work on the dupe is preferred, what is
the legal status with respect to evidence of doing a full backup to tape
(with witnesses, using a standard product, sealing the tape afterwards
appropriately, ..) then working on the original?  I'm thinking of the
resources at hand for some of the smaller sites.

Alternatives?
-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated
**********************************************************************


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hunter Ely: "Server with RAID-5"
Previous message: Hudak, Tyler: "RE: Preserving evidence"
In reply to: Hudak, Tyler: "RE: Preserving evidence"
Next in thread: Bojan Zdravkovic: "RE: Preserving evidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 08 2002 - 03:21:41 PDT