There are a lot of corps that need to read this and take it to heart - but particularly DELL -
http://docs.media.bitpipe.com/io_25x/io_25805/item_399595/19613_WhyPerformanceMatters_WP.pdf Shauna Hensala Date: Thu, 9 Jun 2011 14:01:09 -0400 Subject: Re: RE: windows 7 forensics From: [email protected] To: [email protected] If there's a chance it turns into something bigger, I'd hold off doing anything. I'd unplug the computer and lock it in a safe and leave it alone.I'd talk to your superiors about being able to maintain the integrity of the machine being paramount if they think that this will involve litigation or be referred for criminal prosecution. Once you have authoritative guidance on what you're allowed to do I'd do it. Even if it means you have to pay the professional for a clone you can access, I think that it would be worth it. On Thu, Jun 9, 2011 at 1:55 PM, Jonathan <[email protected]> wrote: Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, "John Cook" <[email protected]> wrote: > The second you log on as an Admin files have changed. If there are Legal > discoveries then the evidence is tainted. Forensic specialists clone the HD > with a special setup and do discovery on the clone thus preserving the > original for evidence. > > From: Jonathan Link [mailto:[email protected]] > Sent: Thursday, June 09, 2011 1:31 PM > To: NT System Admin Issues > Subject: Re: windows 7 forensics > > Some alarm bells are going off. If there's a professional service involved, > why are you doing anything? Have you asked them what they would suggest so > you could do your own analysis? > > > > On Thu, Jun 9, 2011 at 1:24 PM, Jonathan > <[email protected]<mailto:[email protected]>> wrote: > > for those of you you do not have content filtering in place, when someone > asks you to analyze a computer to figure out where they've been what software > to use? > > I've used iehist to examine index.dat files but I'm wondering if there is > anything better thats come out since I haven't done this in a year or two. > > free is preferable, but I need to be able to preserve the system as it is for > potential "professional" forensic analysis in addition to my own analysis. > > Jonathan A+, MCSA, MCSE > > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the > Verizon network. Please excuse brevity and any misspellings. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ________________________________ > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized > use or disclosure of this information could result in civil and/or criminal > penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. > > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should not > read, distribute, copy or alter this email. Any views or opinions expressed > in this email are those of the author and do not represent those of the > company. Warning: Although precautions have been taken to make sure no > viruses are present in this email, the company cannot accept responsibility > for any loss or damage that arise from the use of this email or attachments. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
