In those types of situations, I usually walk into the company unknown to
most. Someone with IT typically picks up the person's computer
informing them that it is needed for a couple of hours to perform an
upgrade of some hardware (memory) or software (anti-virus). Then I have
the time to perform the work.
I have not used P2V so I'm not sure of its capabilities or what it may
do to alter the system. But just because an application alters a system
does not mean that the evidence is inadmissable. A lot of applications
used for remote imaging merely dump themselves into memory. All
interactions are kept to memory so nothing changes on the hard drive.
Will it add an entry to the registry (UserAssist keys) or to the
Prefetch folder? Possible. But just like you should not take for
granted that write blocking devices truly protect a hard drive, you
should test this application and understand what it does and does not
alter. Even if the application makes alterations to a hard drive, will
it add a pornographic file, adjust fraudulent transactions or wipe away
the file that says "I didn't do it"? No, they won't.
Understand what your application and process does and you can accomplish
the task at hand in a way that is admissable in court.
Greg Kelley, EnCE, DFCP
Vestige, Ltd
-----Original Message-----
From: listbou...@securityfocus.com on behalf of
solefar...@gmail.com
Sent: Tue 2/15/2011 10:13 AM
To: forensics@securityfocus.com
Cc:
Subject: P2V - Live Forensics
Ladies, Gentlemen, and otherwise:
I have a situation whereby I need to obtain an image of an
individual's laptop suitable for potential prosecution in a US court;
however, I only have a limited window in which to grab the image, and
was looking for alternatives in order to not "spook" the poor guy or his
co-workers who would no doubt tell him about me, as I go into his office
and randomly image his drive!
I thought about using P2V (Physical to Virtual), but realize
that such software does make some steps to alter the system and thus may
have court challenges. Is there possibility such could be explained in
court, or perhaps md5 hash of his files(not the disk image) taken while
online and then compared to a virtual image of sorts.
Please advise, and I'm thinking of sending the winning
submission a beer or two or some other minor token of appreciation.
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used
to secure code that can be downloaded from the Internet. You will also
learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code
that can be downloaded from the Internet. You will also learn how these
certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c872ea1f
