When I did it last year it was to look at a employee and not let them know we were looking at them. I used (believe it or not) Back Orifice with a plugin to view individual sectors of the disk accross the network. Worked well. I then (with my partner) wrote a quick program to copy the disk accross the network from the suspect machine to another one. In this case it was a desktop we could not move and only had a limited time to do it prior tothe suspect comming back to his desk. Our program ram from a floppy. So there is one reason to do this. I can think of others as well. -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Tuesday, June 18, 2002 6:31 AM To: forensicsat_private Cc: subscribeat_private Subject: RE: Imaging a "live" system > If you do then it's known changes to the system will be > made. *However*, if you document those changes and move > in a methodically and sound manner, than I see no reason > why you cannot proceed. I'm still not all that clear on _why_ you'd ever want to perform imaging of a "live" system. I can see why one would want to collect volatile data from the system, and then perhaps (based on decisions made regarding the situation) move on to disconnecting the system, and then imaging the drive. > One of the best things about a live system is the > volatile info Agreed. However, I think we need to address the issue of methodologies...like develop one. From my perspective at this point, very few admins are collecting this information. Now, I understand that not every situation requires it, but some do...and I think admins aren't doing it for a couple of reasons. First, there isn't even a framework, let alone a methodology, available. Second, no one really wants to do all the repetitive documenting of their actions...they'd rather just get on with it. Third...and I think this was brought out at CanSecWest to a degree...most don't know how to interpret the data they do get. The issues seem to be as much a lack of time as they are a lack of skill. What if there were some way to collect this information in a "clean" manner that also performed the necessary documentation? What if the collection of volatile (and some non-volatile) information could be automated and thoroughly documented? carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 08:51:50 PDT