Good point, but often when you conduct forensic analysis - you never know
what you might find.
Say you investigate a complex case and conduct all the procedures to ensure
evidence is not comprimised, only to find nothing.
On the other hand, you extract/recover some data on a simple case - to find
it explodes into a serious investigation resulting in court.
Therefore if you miss out procedures 1 and 2, skipping to procedure 3 to
recover data - and then find something serious, all the evidence could now
be comprimised.
"Kurt Seifried"
<btat_private> To: <jasoncat_private>, "Kruse, Warren G, II (Warren)" <wgkruseat_private>,
'Matías Bevilacqua-Brechbühler Trabado' <mbevilacquaat_private>, "'Jonathan A.
06/05/2003 21:20 Zdziarski'" <jonathanat_private>, "'yannick'san'" <yannicksanat_private>,
Please respond to "'William Cimo'" <wcimoat_private-vegas.nv.us>, <forensicsat_private>
"Kurt Seifried" cc:
Subject: Re: Computer Forensics
One potentially dangerous thing I see developing with this effort is the
assumption most people seem to be making that the forensics
procedure/technology must withstand legal scrutiny, i.e. under a court of
law. This is not always the case. Many sites will want to execute computer
forensics for other reasons, such as recovering data, finding out why a
server crashed badly, and people who want to gather that data but do not
need or want to pursue legal sanctions against the other party (i.e.
companies running regular checks on systems to detect anamolous behaviour,
a
suspicious spouse, a concerned parent, etc.).
I feel it is important to remember that not everyone has the same
legal/technical requirements for computer forensics and that the guide
should reflect this. I.e. offer a set of options/reccomendations (do steps
3
through 7 to recover the data. do steps 1 through 2 and 8 through 10 to
recover the data in a fashion that is more likely to withstand legal
examination).
Kurt Seifried, kurtat_private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
The information in this e-mail (which includes any
files transmitted with it) is confidential and may
also be legally privileged. It is intended for the
addressee only. Access to this e-mail by anyone
else is unauthorised. It is not to be relied upon
by any person other than the addressee except with
our prior written approval. If no such approval
is given, we will not accept any liability (in
negligence or otherwise) arising from any third
party acting, or refraining from acting, on such
information. Unauthorised recipients are required
to maintain confidentiality. If you have received
this e-mail in error please notify us immediately,
destroy any copies and delete it from your computer
system. Any use, dissemination, forwarding, printing
or copying of this e-mail is prohibited. Copyright
in this e-mail and any document created by us will
be and remain vested in us and will not be transferred
to you. We assert the right to be identified as the
author of and to object to any misuses of the contents
of this e-mail or such documents.
Grant Thornton and Grant Thornton Asset Management
Limited are independent financial advisers authorised
and regulated by the Financial Services Authority for
investment business. A list of partners may be inspected
at Grant Thornton House, Melton Street, Euston Square,
London NW1 2EP.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun May 11 2003 - 09:23:40 PDT