IF you alter the files onthe machine they will not hold up in court. You must do a bit level back up which is normally done using a tool such as safeback, snapback, encase ,etc. You canuse Ghost if you have a certain switch set but I would not suggest it. Normally you must be physically present to do so. 1) DO not boot the machine or do a back up. You may destroy the files and evidence you need by doing so 2) Using an approved FORENSIC method/tool (safeback, snapback, encase, SOloMasster, etc. Make TWO forensic copies. 1 for them to put back in their machine and 1 for you to use as a back up to restore as many times as necessary if you are going drive to drive. If oyu are using a non-intrusive means of analysis such as encase then you can do analysis on this drive as long AS YOU KEEP THE ORIGINAL COPY IN CUSTODY. I always suggest and original and a forensic copy (unused) just in case a drive fails. Depending upon the cost (and potential loss), Ontrack can grabthe stuff remotely for you. Depends onwhat it's worth to your client. E-mail me off line for more info. I specialize in forensics. -----Original Message----- From: Greg Reber [mailto:greg.reberat_private] Sent: Wednesday, October 02, 2002 9:16 PM To: Andrew Fison; incidentsat_private Subject: RE: maybe a simple problem Andrew - if there is a suspicion that the client's machine has been compromised, they should stop using it and have you do some quick forensics. Back up files that they need, but not the whole HD. http://biatchux.dmzs.com/ is a great site for free forensics tools. -greg The information in this email is likely confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. -----Original Message----- From: Andrew Fison [mailto:afison@brit-tex.net] Sent: Wednesday, October 02, 2002 2:37 AM To: incidentsat_private Subject: maybe a simple problem I have a client who believes that thier win98 pc has been hacked with some remote control software. They are pretty vague and not close buy so i cannot look at the machine all the time. I asked them to do netstat when they think they are being spied on but as yet they have not given me anything useful. I think there is reason to believe them as the owner is involed in a hostile boardroom take over of his company by some other entities, whilst this is legal, they have used other underhand methods against my customer before and they are trying to force him to sign over the business to them a little too swiftly. this all started when his wife was suing the pc, and a telescop came on the screen and then disapeared, since then the machine crashes, documents pertaing to the business have gone missing etc, any clues to what this telescope could be? yours andrew ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 23:23:28 PDT