+1000 It's as easy as an email to the principals stating:
----- As discussed, I will be creating a cloned copy of drive with serial #xxxxxxx for use in our internal investigation. Please confirm that you want me to lock the original in the safe, or provide it to legal before I continue. Thanks! ----- *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) Harnessing the Advantages of Technology for the SMB market... On Thu, Jun 9, 2011 at 2:52 PM, Jonathan Link <jonathan.l...@gmail.com>wrote: > Still get it in writing... > > > > On Thu, Jun 9, 2011 at 2:48 PM, Jonathan <ncm...@gmail.com> wrote: > >> Turns out we have a lawyer on the executive team. My instructions are to >> clone and go from there. >> >> Jonathan A+, MCSA, MCSE >> >> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the >> Verizon network. Please excuse brevity and any misspellings. >> >> On Jun 9, 2011 2:37 PM, "John Cook" <john.c...@pfsf.org> wrote: >> > Get it in writing for CYA. >> > >> > From: Jonathan [mailto:ncm...@gmail.com] >> > Sent: Thursday, June 09, 2011 2:15 PM >> > To: NT System Admin Issues >> > Subject: Re: RE: RE: windows 7 forensics >> > >> > >> > understand and agree. However, if the boss says, "do it anyway," what >> approach would you use? >> > >> > Jonathan A+, MCSA, MCSE >> > >> > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the >> Verizon network. Please excuse brevity and any misspellings. >> > >> > On Jun 9, 2011 2:07 PM, "John Cook" <john.c...@pfsf.org<mailto: >> john.c...@pfsf.org>> wrote: >> >> Honestly, I would (if possible) pull the machine out from under the >> user (make up some excuse about warranty issue or something) wrap it in tape >> so the case can't be cracked and have someone sign it and date it for future >> reference. >> >> >> >> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>] >> >> >> Sent: Thursday, June 09, 2011 1:56 PM >> >> To: NT System Admin Issues >> >> Subject: Re: RE: windows 7 forensics >> >> >> >> >> >> Good points from all of you. I don't know that a third party will be >> brought in at all, but want to be prepared in case it does turn into >> something bigger, which is why I asked the list. >> >> >> >> What would you guys recommend for cloning for this purpose? The last >> thing I used was Ghost, but have used dfsee and others... >> >> >> >> Jonathan A+, MCSA, MCSE >> >> >> >> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the >> Verizon network. Please excuse brevity and any misspellings. >> >> >> >> On Jun 9, 2011 1:45 PM, "John Cook" <john.c...@pfsf.org<mailto: >> john.c...@pfsf.org><mailto:john.c...@pfsf.org<mailto:john.c...@pfsf.org>>> >> wrote: >> >>> The second you log on as an Admin files have changed. If there are >> Legal discoveries then the evidence is tainted. Forensic specialists clone >> the HD with a special setup and do discovery on the clone thus preserving >> the original for evidence. >> >>> >> >>> From: Jonathan Link [mailto:jonathan.l...@gmail.com<mailto: >> jonathan.l...@gmail.com><mailto:jonathan.l...@gmail.com<mailto: >> jonathan.l...@gmail.com>>] >> >> >>> Sent: Thursday, June 09, 2011 1:31 PM >> >>> To: NT System Admin Issues >> >>> Subject: Re: windows 7 forensics >> >>> >> >>> Some alarm bells are going off. If there's a professional service >> involved, why are you doing anything? Have you asked them what they would >> suggest so you could do your own analysis? >> >>> >> >>> >> >>> >> >>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan <ncm...@gmail.com<mailto: >> ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com >> >><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com><mailto: >> ncm...@gmail.com<mailto:ncm...@gmail.com>>>> wrote: >> >>> >> >>> for those of you you do not have content filtering in place, when >> someone asks you to analyze a computer to figure out where they've been what >> software to use? >> >>> >> >>> I've used iehist to examine index.dat files but I'm wondering if there >> is anything better thats come out since I haven't done this in a year or >> two. >> >>> >> >>> free is preferable, but I need to be able to preserve the system as it >> is for potential "professional" forensic analysis in addition to my own >> analysis. >> >>> >> >>> Jonathan A+, MCSA, MCSE >> >>> >> >>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on >> the Verizon network. Please excuse brevity and any misspellings. >> >>> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin