I was letting this discussion pass but a glaring error needs to be corrected.
"Good point. The correct use of terminology, particularly in an area as technical as this discussion, is important. When other, unusual terms and phrases, w/o an explanation, begin to be used, the discussion can quickly break down...there is no common ground on which to converse at that point. "Chain of custody" means something specific when talking about forensics..."chain of evidence" only has a specific meaning to the person using that phrase." Chain of custody certainly does mean something specific in the area of Forensics but more importantly in the area of law enforcement. Unfortunately what the discussions have been about have been the chain of evidence and the chain of custody has not been discussed at all here. Summary Chain of Evidence: The steps and actions taken to acquire the evidence (disk cloning, labeling etc per the discussion at hand) Chain of Custody: The list of people or persons who have held the evidence or handled the evidence (sign in/sign out procedures etc) Read some more just to prove it is not 'only specific to the person using the phrase' Chain of Evidence: http://www.dis.unimelb.edu.au/staff/atif/AhmadPACIS.pdf Chain of Custody: http://www.isaforensics.com/ISA_COC_Form.pdf More links for your perusal which you certainly should be reading http://web.mit.edu/net-security/Camp/2000/FORENSICS_MIT/FORENSICS_MIT.pp t http://www.lambsauto.com/insflyer.htm In the last part of this last link you will see the point repeated that I made earlier. Make sure your Chain of Evidence is not broken. Doing an inhouse forensics examination is fine if you have decided up front that the matter will not be going any further. If there is any possibility that the incident may lead to legal proceeding then make sure you are qualified to carry out an examination otherwise all evidence you touch is inadmissable. Once you alter the machine state in any way you have tampered. Computer Evidence is still largely considered hearsay in a court of law and can quickly be ruled out if your Chain of Evidence or Chain of Custody is in doubt. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: H C [mailto:[EMAIL PROTECTED] Sent: 20 February 2003 19:28 To: [EMAIL PROTECTED] Subject: RE: tools used to examine a computer > ...good points on processes, servies and the like. You > want to document those before you take down a machine > (workstation or server)anyway if you are able to. Again, it's quite easy to document this sort of thing, was well as a wide range of other data...it all simply has to be part of the methodology. Other areas of interest may include command history, clipboard contents, drivers (and their state), etc. Other non-volatile items that you may want to document prior to shut down include Registry key values, Registry key LastWrite times, etc. > It does not destroy chain of custody (which is the term > we should be using Good point. The correct use of terminology, particularly in an area as technical as this discussion, is important. When other, unusual terms and phrases, w/o an explanation, begin to be used, the discussion can quickly break down...there is no common ground on which to converse at that point. "Chain of custody" means something specific when talking about forensics..."chain of evidence" only has a specific meaning to the person using that phrase. > Key is proper FORENSIC PROCESSES are followed. If you > can document and you are not touching MODIFY or > CREATION dates then you are pretty much OK as long as > you document properly. Agreed. Even writing down the last access date in your notebook, and then copying the file, would be an appropriate process, under the right circumstances. I'd prefer to use a specific tool to extract those values, rather than running three separate 'dir' commands. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************************
