Sector by Sector image, and again as Robert said write-protections should be in place, unless your want a lawyer basically shooting a big hole in your chain of evidence/custody that is required to even get the evidence in a court of law. Best to leave the Forensics to a reputable out-sourced company that does it all the time. ( They have the tools, and experience in dealing with chain of evidence, proper techniques, and going to court to explain what they have found and how its material to the case)
Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Kennedy, Jim [mailto:[email protected]] Sent: Thursday, June 09, 2011 2:22 PM To: NT System Admin Issues Subject: RE: RE: RE: windows 7 forensics Boot it from a CD and image it then do your poking around. From: Jonathan [mailto:[email protected]] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, "do it anyway," what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, "John Cook" <[email protected]> wrote: > Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. > > From: Jonathan [mailto:[email protected]] > Sent: Thursday, June 09, 2011 1:56 PM > To: NT System Admin Issues > Subject: Re: RE: windows 7 forensics > > > Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. > > What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... > > Jonathan A+, MCSA, MCSE > > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. > > On Jun 9, 2011 1:45 PM, "John Cook" <[email protected]<mailto: [email protected]>> wrote: >> The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. >> >> From: Jonathan Link [mailto:[email protected]<mailto: [email protected]>] >> Sent: Thursday, June 09, 2011 1:31 PM >> To: NT System Admin Issues >> Subject: Re: windows 7 forensics >> >> Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? >> >> >> >> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan <[email protected]<mailto: [email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: >> >> for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? >> >> I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. >> >> free is preferable, but I need to be able to preserve the system as it is for potential "professional" forensic analysis in addition to my own analysis. >> >> Jonathan A+, MCSA, MCSE >> >> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected]<mailto: [email protected]><mailto: [email protected]<mailto: [email protected]>> >> with the body: unsubscribe ntsysadmin >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected]<mailto: [email protected]><mailto: [email protected]<mailto: [email protected]>> >> with the body: unsubscribe ntsysadmin >> >> ________________________________ >> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. >> Consider the environment. Please don't print this e-mail unless you really need to. >> >> This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected]<mailto: [email protected]> >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected]<mailto: [email protected]> > with the body: unsubscribe ntsysadmin > > ________________________________ > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really need to. > > This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
