I would back up the use of Encase and TASK toolkits @stack have some good stuff too (www.atstake.com look for latest tool download). Also BackByte is an excellent tool. Well it works for me :)
Also on the point of copying files over the network first, correct me if I'm wrong but that damages the chain of evidence. Have a look at the link below, goes about it a bit long winded but essentially shows how to clone a hard drive over a network connection. This can be done with Windows machines as DD and Netcat can be run from floppy on a Windows machine. Never install anything on a disk that is being investigated as part of that investigation, run it from floppy. Then analise the clone. I have the details of cloning a windows machine with DD and Netcat if you need them, just can't find the link at the moment. http://www.rajeevnet.com/hacks_hints/os_clone/os_cloning.html Hope this helps By the way don't forget to note your MD5 signature before working on clones. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: H C [mailto:[EMAIL PROTECTED]] Sent: 17 February 2003 13:18 To: [EMAIL PROTECTED] Subject: re: tools used to examine a computer Joshua, > I was able to copy some files over the network before I > took the computer into custody. What tools are out there > that can really be helpful in monitoring/forensics. It really depends on what you want to do. As far as forensics goes, there have been some good recommendations from EnCase and commercial tools to freeware such as TCT, Autopsy, and TASK. If the system you're working with is Windows (NT/2K/XP), there are plenty of things you can do. You can collect a great deal of volatile information from the system (processes, ports, process-to-port mappings, etc) with a wide variety of freeware tools. Grabbing that information and analyzing it can tell you what, if anything, is wrong with the system. Pslist, handle, and listdlls from SysInternals, fport from Foundstone and the native netstat can be used, and then procdmp.pl from http://patriot.net/~carvdawg can be used to consolidate the process information out into an HTML file (example output file http://patriot.net/~carvdawg/pd.html). HTH __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************************
