Good point, but often when you conduct forensic analysis - you never know what you might find. Say you investigate a complex case and conduct all the procedures to ensure evidence is not comprimised, only to find nothing. On the other hand, you extract/recover some data on a simple case - to find it explodes into a serious investigation resulting in court. Therefore if you miss out procedures 1 and 2, skipping to procedure 3 to recover data - and then find something serious, all the evidence could now be comprimised. "Kurt Seifried" <btat_private> To: <jasoncat_private>, "Kruse, Warren G, II (Warren)" <wgkruseat_private>, 'Matías Bevilacqua-Brechbühler Trabado' <mbevilacquaat_private>, "'Jonathan A. 06/05/2003 21:20 Zdziarski'" <jonathanat_private>, "'yannick'san'" <yannicksanat_private>, Please respond to "'William Cimo'" <wcimoat_private-vegas.nv.us>, <forensicsat_private> "Kurt Seifried" cc: Subject: Re: Computer Forensics One potentially dangerous thing I see developing with this effort is the assumption most people seem to be making that the forensics procedure/technology must withstand legal scrutiny, i.e. under a court of law. This is not always the case. Many sites will want to execute computer forensics for other reasons, such as recovering data, finding out why a server crashed badly, and people who want to gather that data but do not need or want to pursue legal sanctions against the other party (i.e. companies running regular checks on systems to detect anamolous behaviour, a suspicious spouse, a concerned parent, etc.). I feel it is important to remember that not everyone has the same legal/technical requirements for computer forensics and that the guide should reflect this. I.e. offer a set of options/reccomendations (do steps 3 through 7 to recover the data. do steps 1 through 2 and 8 through 10 to recover the data in a fashion that is more likely to withstand legal examination). Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com The information in this e-mail (which includes any files transmitted with it) is confidential and may also be legally privileged. It is intended for the addressee only. Access to this e-mail by anyone else is unauthorised. It is not to be relied upon by any person other than the addressee except with our prior written approval. If no such approval is given, we will not accept any liability (in negligence or otherwise) arising from any third party acting, or refraining from acting, on such information. Unauthorised recipients are required to maintain confidentiality. If you have received this e-mail in error please notify us immediately, destroy any copies and delete it from your computer system. Any use, dissemination, forwarding, printing or copying of this e-mail is prohibited. Copyright in this e-mail and any document created by us will be and remain vested in us and will not be transferred to you. We assert the right to be identified as the author of and to object to any misuses of the contents of this e-mail or such documents. Grant Thornton and Grant Thornton Asset Management Limited are independent financial advisers authorised and regulated by the Financial Services Authority for investment business. A list of partners may be inspected at Grant Thornton House, Melton Street, Euston Square, London NW1 2EP. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun May 11 2003 - 09:23:40 PDT