Hopkins, Joshua wrote: [ ... ]
Considering how cheap basic RAID-1 mirroring for IDE drives is, you might think about setting up all of your machines with two disks in a mirror. When you want to examine a machine without risking the problem you encountered, break the RAID-1 mirror before starting up the OS.I found that a login script was placed into the admin account for that machine and the script erased the evidence. I was able to copy some files over the network before I took the computer into custody. What tools are out there that can really be helpful in monitoring/forensics.
If you're really worried, or if you'd really like to make sure evidence stays intact, you can even take one disk out and add a write-protect jumper before investigating the system.
-Chuck
