Still get it in writing...
On Thu, Jun 9, 2011 at 2:48 PM, Jonathan <[email protected]> wrote: > Turns out we have a lawyer on the executive team. My instructions are to > clone and go from there. > > Jonathan A+, MCSA, MCSE > > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the > Verizon network. Please excuse brevity and any misspellings. > > On Jun 9, 2011 2:37 PM, "John Cook" <[email protected]> wrote: > > Get it in writing for CYA. > > > > From: Jonathan [mailto:[email protected]] > > Sent: Thursday, June 09, 2011 2:15 PM > > To: NT System Admin Issues > > Subject: Re: RE: RE: windows 7 forensics > > > > > > understand and agree. However, if the boss says, "do it anyway," what > approach would you use? > > > > Jonathan A+, MCSA, MCSE > > > > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the > Verizon network. Please excuse brevity and any misspellings. > > > > On Jun 9, 2011 2:07 PM, "John Cook" <[email protected]<mailto: > [email protected]>> wrote: > >> Honestly, I would (if possible) pull the machine out from under the user > (make up some excuse about warranty issue or something) wrap it in tape so > the case can't be cracked and have someone sign it and date it for future > reference. > >> > >> From: Jonathan [mailto:[email protected]<mailto:[email protected]>] > > >> Sent: Thursday, June 09, 2011 1:56 PM > >> To: NT System Admin Issues > >> Subject: Re: RE: windows 7 forensics > >> > >> > >> Good points from all of you. I don't know that a third party will be > brought in at all, but want to be prepared in case it does turn into > something bigger, which is why I asked the list. > >> > >> What would you guys recommend for cloning for this purpose? The last > thing I used was Ghost, but have used dfsee and others... > >> > >> Jonathan A+, MCSA, MCSE > >> > >> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the > Verizon network. Please excuse brevity and any misspellings. > >> > >> On Jun 9, 2011 1:45 PM, "John Cook" <[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto:[email protected]>>> > wrote: > >>> The second you log on as an Admin files have changed. If there are > Legal discoveries then the evidence is tainted. Forensic specialists clone > the HD with a special setup and do discovery on the clone thus preserving > the original for evidence. > >>> > >>> From: Jonathan Link [mailto:[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto: > [email protected]>>] > > >>> Sent: Thursday, June 09, 2011 1:31 PM > >>> To: NT System Admin Issues > >>> Subject: Re: windows 7 forensics > >>> > >>> Some alarm bells are going off. If there's a professional service > involved, why are you doing anything? Have you asked them what they would > suggest so you could do your own analysis? > >>> > >>> > >>> > >>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan <[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto:[email protected] > >><mailto:[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>>> wrote: > >>> > >>> for those of you you do not have content filtering in place, when > someone asks you to analyze a computer to figure out where they've been what > software to use? > >>> > >>> I've used iehist to examine index.dat files but I'm wondering if there > is anything better thats come out since I haven't done this in a year or > two. > >>> > >>> free is preferable, but I need to be able to preserve the system as it > is for potential "professional" forensic analysis in addition to my own > analysis. > >>> > >>> Jonathan A+, MCSA, MCSE > >>> > >>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the > Verizon network. Please excuse brevity and any misspellings. > >>> > >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >>> > >>> --- > >>> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >>> or send an email to [email protected]<mailto: > [email protected]><mailto: > [email protected]<mailto: > [email protected]>><mailto: > [email protected]<mailto: > [email protected]><mailto: > [email protected]<mailto: > [email protected]>>> > > >>> with the body: unsubscribe ntsysadmin > >>> > >>> > >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >>> > >>> --- > >>> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >>> or send an email to [email protected]<mailto: > [email protected]><mailto: > [email protected]<mailto: > [email protected]>><mailto: > [email protected]<mailto: > [email protected]><mailto: > [email protected]<mailto: > [email protected]>>> > > >>> with the body: unsubscribe ntsysadmin > >>> > >>> ________________________________ > >>> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or > unauthorized use or disclosure of this information could result in civil > and/or criminal penalties. > >>> Consider the environment. Please don't print this e-mail unless you > really need to. > >>> > >>> This email and any attached files are confidential and intended solely > for the intended recipient(s). If you are not the named recipient you should > not read, distribute, copy or alter this email. Any views or opinions > expressed in this email are those of the author and do not represent those > of the company. Warning: Although precautions have been taken to make sure > no viruses are present in this email, the company cannot accept > responsibility for any loss or damage that arise from the use of this email > or attachments. > >>> > >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >>> > >>> --- > >>> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >>> or send an email to [email protected]<mailto: > [email protected]><mailto: > [email protected]<mailto: > [email protected]>> > >>> with the body: unsubscribe ntsysadmin > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected]<mailto: > [email protected]><mailto: > [email protected]<mailto: > [email protected]>> > >> with the body: unsubscribe ntsysadmin > >> > >> ________________________________ > >> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or > unauthorized use or disclosure of this information could result in civil > and/or criminal penalties. > >> Consider the environment. Please don't print this e-mail unless you > really need to. > >> > >> This email and any attached files are confidential and intended solely > for the intended recipient(s). If you are not the named recipient you should > not read, distribute, copy or alter this email. Any views or opinions > expressed in this email are those of the author and do not represent those > of the company. Warning: Although precautions have been taken to make sure > no viruses are present in this email, the company cannot accept > responsibility for any loss or damage that arise from the use of this email > or attachments. > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected]<mailto: > [email protected]> > >> with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected]<mailto: > [email protected]> > > with the body: unsubscribe ntsysadmin > > > > ________________________________ > > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or > unauthorized use or disclosure of this information could result in civil > and/or criminal penalties. > > Consider the environment. Please don't print this e-mail unless you > really need to. > > > > This email and any attached files are confidential and intended solely > for the intended recipient(s). If you are not the named recipient you should > not read, distribute, copy or alter this email. Any views or opinions > expressed in this email are those of the author and do not represent those > of the company. Warning: Although precautions have been taken to make sure > no viruses are present in this email, the company cannot accept > responsibility for any loss or damage that arise from the use of this email > or attachments. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
