Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list.
What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, "John Cook" <john.c...@pfsf.org> wrote: > The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. > > From: Jonathan Link [mailto:jonathan.l...@gmail.com] > Sent: Thursday, June 09, 2011 1:31 PM > To: NT System Admin Issues > Subject: Re: windows 7 forensics > > Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? > > > > On Thu, Jun 9, 2011 at 1:24 PM, Jonathan <ncm...@gmail.com<mailto: ncm...@gmail.com>> wrote: > > for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? > > I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. > > free is preferable, but I need to be able to preserve the system as it is for potential "professional" forensic analysis in addition to my own analysis. > > Jonathan A+, MCSA, MCSE > > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com<mailto: listmana...@lyris.sunbeltsoftware.com> > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com<mailto: listmana...@lyris.sunbeltsoftware.com> > with the body: unsubscribe ntsysadmin > > ________________________________ > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really need to. > > This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
