@solefarmer:
It's been a while since forensics were my daily grind, but I have some
thoughts...
Are you a member of the subject's organization? i.e. same company or agency?
If so, your best immediate approach may be going over the wire with AccessData
Enterprise (ftk) or a similar tool.
* Cost justification: It's happened once, it'll happen again. Once the
agent is installed, the subject is available 24x7.
* Court explanation: AccessData installs an agent that reads the
drive. It is its sole function, and
cannot be used to move files onto the
target.
* MD5 hash option: If it were me, I wouldn't use that as a
foundation for testimony. In order to get
a file MD5, you have to touch it - right?
That is harder to explain away than a
remote agent imaging the entire drive.
If you're not part of the subject's organization, or cannot influence purchase
of a network tool, it will depend on expanding that time window. Fire drill?
Trouble ticket? "Audit" all laptops in the dept in the Help Desk back room?
Have the boss invite the whole gang to a long lunch?
Shannon
Disclaimer: The opinions and view expressed are solely those of the sender.
The sender's organization makes no claim as to accuracy, efficacy or
reliability.
-----Original Message-----
From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On
Behalf Of solefar...@gmail.com
Sent: Tuesday, February 15, 2011 9:14 AM
To: forensics@securityfocus.com
Subject: P2V - Live Forensics
Ladies, Gentlemen, and otherwise:
I have a situation whereby I need to obtain an image of an individual's laptop
suitable for potential prosecution in a US court; however, I only have a
limited window in which to grab the image, and was looking for alternatives in
order to not "spook" the poor guy or his co-workers who would no doubt tell him
about me, as I go into his office and randomly image his drive!
I thought about using P2V (Physical to Virtual), but realize that such software
does make some steps to alter the system and thus may have court challenges. Is
there possibility such could be explained in court, or perhaps md5 hash of his
files(not the disk image) taken while online and then compared to a virtual
image of sorts.
Please advise, and I'm thinking of sending the winning submission a beer or two
or some other minor token of appreciation.
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code
that can be downloaded from the Internet. You will also learn how these
certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c872ea1f
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code
that can be downloaded from the Internet. You will also learn how these
certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c872ea1f
