RE: RE: RE: windows 7 forensics

2011-06-10 Thread Joe Tinney 
I've used and had fantastic results using the SIFT workstation from SANS 
Institute:
http://computer-forensics.sans.org/community/downloads/

I take a DD image of the drive and then develop a SUPER Timeline: 
http://computer-forensics.sans.org/blog/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/

Works great and the end result is a massive CSV file of all activity - NTFS, 
web, recent process launches, etc and it is all time-sequenced. I've done this 
to track down where and when malware entry occurred on the system.

Good luck!

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Thursday, June 09, 2011 2:15 PM
To: NT System Admin Issues
Subject: Re: RE: RE: windows 7 forensics


understand and agree.  However, if the boss says, "do it anyway," what approach 
would you use?

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon 
network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:07 PM, "John Cook" 
mailto:john.c...@pfsf.org>> wrote:
> Honestly, I would (if possible) pull the machine out from under the user 
> (make up some excuse about warranty issue or something) wrap it in tape so 
> the case can't be cracked and have someone sign it and date it for future 
> reference.
>
> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
> Sent: Thursday, June 09, 2011 1:56 PM
> To: NT System Admin Issues
> Subject: Re: RE: windows 7 forensics
>
>
> Good points from all of you. I don't know that a third party will be brought 
> in at all, but want to be prepared in case it does turn into something 
> bigger, which is why I asked the list.
>
> What would you guys recommend for cloning for this purpose? The last thing I 
> used was Ghost, but have used dfsee and others...
>
> Jonathan A+, MCSA, MCSE
>
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the 
> Verizon network. Please excuse brevity and any misspellings.
>
> On Jun 9, 2011 1:45 PM, "John Cook" 
> mailto:john.c...@pfsf.org><mailto:john.c...@pfsf.org<mailto:john.c...@pfsf.org>>>
>  wrote:
>> The second you log on as an Admin files have changed. If there are Legal 
>> discoveries then the evidence is tainted. Forensic specialists clone the HD 
>> with a special setup and do discovery on the clone thus preserving the 
>> original for evidence.
>>
>> From: Jonathan Link 
>> [mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com><mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>>]
>> Sent: Thursday, June 09, 2011 1:31 PM
>> To: NT System Admin Issues
>> Subject: Re: windows 7 forensics
>>
>> Some alarm bells are going off. If there's a professional service involved, 
>> why are you doing anything? Have you asked them what they would suggest so 
>> you could do your own analysis?
>>
>>
>>
>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan 
>> mailto:ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>>>>
>>  wrote:
>>
>> for those of you you do not have content filtering in place, when someone 
>> asks you to analyze a computer to figure out where they've been what 
>> software to use?
>>
>> I've used iehist to examine index.dat files but I'm wondering if there is 
>> anything better thats come out since I haven't done this in a year or two.
>>
>> free is preferable, but I need to be able to preserve the system as it is 
>> for potential "professional" forensic analysis in addition to my own 
>> analysis.
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the 
>> Verizon network. Please excuse brevity and any misspellings.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to 
>> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>>>
>> with the body: unsubscribe ntsysadmin
&g

Re: RE: RE: windows 7 forensics

2011-06-10 Thread Andrew S. Baker 
>>I don't know if write blocking devices for USB flash drives exist on the
market, but technologically there's no reason they couldn't.

Yes, they do.

http://www.siliconforensics.com/ps-135-2-read-only-write-protect-usb-media-card-reader.aspx


*ASB *(Professional Bio )
Harnessing the Advantages of Technology for the SMB market...




On Fri, Jun 10, 2011 at 7:33 AM, Ben Scott  wrote:

> On Thu, Jun 9, 2011 at 8:43 PM, Jonathan  wrote:
> >> ... avoid MS Windows, as it has a tendency to want to write to
> >> the disk ... Me, I'd boot a rescue Linux system ... devices that
> >> plug between the hard drive and the host adapter, and block all write
> >> commands ...
> >
> > Next question - what about USB flash drive forensics?
>
>   Basically the same.  Make an image.  Make sure nothing writes to the
> original.  I don't know if write blocking devices for USB flash drives
> exist on the market, but technologically there's no reason they
> couldn't.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: windows 7 forensics

2011-06-10 Thread Ben Scott 
On Thu, Jun 9, 2011 at 8:43 PM, Jonathan  wrote:
>> ... avoid MS Windows, as it has a tendency to want to write to
>> the disk ... Me, I'd boot a rescue Linux system ... devices that
>> plug between the hard drive and the host adapter, and block all write
>> commands ...
>
> Next question - what about USB flash drive forensics?

  Basically the same.  Make an image.  Make sure nothing writes to the
original.  I don't know if write blocking devices for USB flash drives
exist on the market, but technologically there's no reason they
couldn't.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: RE: RE: windows 7 forensics

2011-06-09 Thread Level 5 Lists 
There are a lot of things to consider. The first being chain of custody, the 
pulling of the pc with 2 people, and then certifying that it hasn't been 
tampered with is your primary requirement.
After that I would let the real boys handle it (3rd party/legal team etc)

I went through something similar with a company who found an employee using aol 
with child porn videos (not for sale or anything I guess). The FBI came in and 
everything, and I learned a lot during that process (he went to jail for 10 
years FWIW). They worked up a huge document discussing the file timestamps, the 
a/v, spyware, the temp file locations, the history of different video viewing 
apps in the registry.

this was all done with a ghosted copy of the drive to preserve the original as 
evidence.

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Thursday, June 09, 2011 8:44 PM
To: NT System Admin Issues
Subject: Re: RE: RE: windows 7 forensics

forgot to include the link:

http://www.ssddfj.org/papers/SSDDFJ_V1_1_Bem_Huebner.pdf

Jonathan
On Thu, Jun 9, 2011 at 8:43 PM, Jonathan 
mailto:ncm...@gmail.com>> wrote:
Thanks again for the input.

Next question - what about USB flash drive forensics? I briefly scanned the 
first part of this article, albeit form 2007

Would what you describe below still be valid for a USB flash drive?

Thanks,

Jonathan

On Thu, Jun 9, 2011 at 6:42 PM, Ben Scott 
mailto:mailvor...@gmail.com>> wrote:
On Thu, Jun 9, 2011 at 2:15 PM, Jonathan 
mailto:ncm...@gmail.com>> wrote:
> understand and agree.  However, if the boss says, "do it anyway," what
> approach would you use?
 I would avoid MS Windows, as it has a tendency to want to write to
the disk without asking.  (Due to things like updating the MBR for
various weird reasons ("disk signatures", etc.), auto-mount of
anything that looks like NTFS, etc.).

 Me, I'd boot a rescue Linux system (I like SysRescueCD) and use "dd
if=/dev/foo of=/mnt/bar/image", where "foo" is the source disk name
and "bar" is a network server I'd mounted.  Be warned that if you get
the syntax wrong "dd" will happily overwrite your disk for you.  "if"
is input file, "of" is output file, not hard, just unforgiving.

 If you want to use MS Windows, they sell these devices that plug
between the hard drive and the host adapter, and block all write
commands, making the drive effectively read-only.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


--
Jonathan, A+, MCSA, MCSE



--
Jonathan, A+, MCSA, MCSE

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: windows 7 forensics

2011-06-09 Thread Jonathan 
forgot to include the link:

http://www.ssddfj.org/papers/SSDDFJ_V1_1_Bem_Huebner.pdf

Jonathan

On Thu, Jun 9, 2011 at 8:43 PM, Jonathan  wrote:

> Thanks again for the input.
>
> Next question - what about USB flash drive forensics? I briefly scanned the
> first part of this article, albeit form 2007
>
> Would what you describe below still be valid for a USB flash drive?
>
> Thanks,
>
> Jonathan
>
>
> On Thu, Jun 9, 2011 at 6:42 PM, Ben Scott  wrote:
>
>> On Thu, Jun 9, 2011 at 2:15 PM, Jonathan  wrote:
>> > understand and agree.  However, if the boss says, "do it anyway," what
>> > approach would you use?
>>
>>   I would avoid MS Windows, as it has a tendency to want to write to
>> the disk without asking.  (Due to things like updating the MBR for
>> various weird reasons ("disk signatures", etc.), auto-mount of
>> anything that looks like NTFS, etc.).
>>
>>  Me, I'd boot a rescue Linux system (I like SysRescueCD) and use "dd
>> if=/dev/foo of=/mnt/bar/image", where "foo" is the source disk name
>> and "bar" is a network server I'd mounted.  Be warned that if you get
>> the syntax wrong "dd" will happily overwrite your disk for you.  "if"
>> is input file, "of" is output file, not hard, just unforgiving.
>>
>>  If you want to use MS Windows, they sell these devices that plug
>> between the hard drive and the host adapter, and block all write
>> commands, making the drive effectively read-only.
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>>
>
>
> --
> Jonathan, A+, MCSA, MCSE
>



-- 
Jonathan, A+, MCSA, MCSE

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: windows 7 forensics

2011-06-09 Thread Jonathan 
Thanks again for the input.

Next question - what about USB flash drive forensics? I briefly scanned the
first part of this article, albeit form 2007

Would what you describe below still be valid for a USB flash drive?

Thanks,

Jonathan

On Thu, Jun 9, 2011 at 6:42 PM, Ben Scott  wrote:

> On Thu, Jun 9, 2011 at 2:15 PM, Jonathan  wrote:
> > understand and agree.  However, if the boss says, "do it anyway," what
> > approach would you use?
>
>   I would avoid MS Windows, as it has a tendency to want to write to
> the disk without asking.  (Due to things like updating the MBR for
> various weird reasons ("disk signatures", etc.), auto-mount of
> anything that looks like NTFS, etc.).
>
>  Me, I'd boot a rescue Linux system (I like SysRescueCD) and use "dd
> if=/dev/foo of=/mnt/bar/image", where "foo" is the source disk name
> and "bar" is a network server I'd mounted.  Be warned that if you get
> the syntax wrong "dd" will happily overwrite your disk for you.  "if"
> is input file, "of" is output file, not hard, just unforgiving.
>
>  If you want to use MS Windows, they sell these devices that plug
> between the hard drive and the host adapter, and block all write
> commands, making the drive effectively read-only.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>


-- 
Jonathan, A+, MCSA, MCSE

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: windows 7 forensics

2011-06-09 Thread Ben Scott 
On Thu, Jun 9, 2011 at 2:15 PM, Jonathan  wrote:
> understand and agree.  However, if the boss says, "do it anyway," what
> approach would you use?

  I would avoid MS Windows, as it has a tendency to want to write to
the disk without asking.  (Due to things like updating the MBR for
various weird reasons ("disk signatures", etc.), auto-mount of
anything that looks like NTFS, etc.).

  Me, I'd boot a rescue Linux system (I like SysRescueCD) and use "dd
if=/dev/foo of=/mnt/bar/image", where "foo" is the source disk name
and "bar" is a network server I'd mounted.  Be warned that if you get
the syntax wrong "dd" will happily overwrite your disk for you.  "if"
is input file, "of" is output file, not hard, just unforgiving.

  If you want to use MS Windows, they sell these devices that plug
between the hard drive and the host adapter, and block all write
commands, making the drive effectively read-only.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: RE: windows 7 forensics

2011-06-09 Thread Andrew S. Baker 
+1000

It's as easy as an email to the principals stating:


-

As discussed, I will be creating a cloned copy of drive with serial
#xxx for use in our internal investigation.   Please confirm that
you want me to lock the original in the safe, or provide it to legal
before I continue.

Thanks!

-



*ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>)
Harnessing the Advantages of Technology for the SMB market...




On Thu, Jun 9, 2011 at 2:52 PM, Jonathan Link wrote:

> Still get it in writing...
>
>
>
> On Thu, Jun 9, 2011 at 2:48 PM, Jonathan  wrote:
>
>> Turns out we have a lawyer on the executive team. My instructions are to
>> clone and go from there.
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
>> Verizon network. Please excuse brevity and any misspellings.
>>
>> On Jun 9, 2011 2:37 PM, "John Cook"  wrote:
>> > Get it in writing for CYA.
>> >
>> > From: Jonathan [mailto:ncm...@gmail.com]
>> > Sent: Thursday, June 09, 2011 2:15 PM
>> > To: NT System Admin Issues
>> > Subject: Re: RE: RE: windows 7 forensics
>> >
>> >
>> > understand and agree. However, if the boss says, "do it anyway," what
>> approach would you use?
>> >
>> > Jonathan A+, MCSA, MCSE
>> >
>> > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
>> Verizon network. Please excuse brevity and any misspellings.
>> >
>> > On Jun 9, 2011 2:07 PM, "John Cook" > john.c...@pfsf.org>> wrote:
>> >> Honestly, I would (if possible) pull the machine out from under the
>> user (make up some excuse about warranty issue or something) wrap it in tape
>> so the case can't be cracked and have someone sign it and date it for future
>> reference.
>> >>
>> >> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
>>
>> >> Sent: Thursday, June 09, 2011 1:56 PM
>> >> To: NT System Admin Issues
>> >> Subject: Re: RE: windows 7 forensics
>> >>
>> >>
>> >> Good points from all of you. I don't know that a third party will be
>> brought in at all, but want to be prepared in case it does turn into
>> something bigger, which is why I asked the list.
>> >>
>> >> What would you guys recommend for cloning for this purpose? The last
>> thing I used was Ghost, but have used dfsee and others...
>> >>
>> >> Jonathan A+, MCSA, MCSE
>> >>
>> >> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
>> Verizon network. Please excuse brevity and any misspellings.
>> >>
>> >> On Jun 9, 2011 1:45 PM, "John Cook" > john.c...@pfsf.org><mailto:john.c...@pfsf.org<mailto:john.c...@pfsf.org>>>
>> wrote:
>> >>> The second you log on as an Admin files have changed. If there are
>> Legal discoveries then the evidence is tainted. Forensic specialists clone
>> the HD with a special setup and do discovery on the clone thus preserving
>> the original for evidence.
>> >>>
>> >>> From: Jonathan Link [mailto:jonathan.l...@gmail.com> jonathan.l...@gmail.com><mailto:jonathan.l...@gmail.com> jonathan.l...@gmail.com>>]
>>
>> >>> Sent: Thursday, June 09, 2011 1:31 PM
>> >>> To: NT System Admin Issues
>> >>> Subject: Re: windows 7 forensics
>> >>>
>> >>> Some alarm bells are going off. If there's a professional service
>> involved, why are you doing anything? Have you asked them what they would
>> suggest so you could do your own analysis?
>> >>>
>> >>>
>> >>>
>> >>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan > ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com
>> >><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>> ncm...@gmail.com<mailto:ncm...@gmail.com>>>> wrote:
>> >>>
>> >>> for those of you you do not have content filtering in place, when
>> someone asks you to analyze a computer to figure out where they've been what
>> software to use?
>> >>>
>> >>> I've used iehist to examine index.dat files but I'm wondering if there
>> is anything better thats come out since I haven't done this in a year or
>> two.
>> >>>
>> >>> free is preferable, but I need to be able to preserve the system as it
>> is for potential "professional" forensic analysis in addition to my own
>> analysis.
>> >>>
>> >>> Jonathan A+, MCSA, MCSE
>> >>>
>> >>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on
>> the Verizon network. Please excuse brevity and any misspellings.
>> >>>
>>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: RE: RE: RE: windows 7 forensics

2011-06-09 Thread Art DeKneef 
There are a few forensic sites that will help guide you. There are a few
software packages that have past court review to show that the original is
not changed in any way when making an image. Encase comes in mind but there
are others. Of course I can't remember them right now. A couple of them were
open source packages.

 

The other information given is good. If the user has to have a computer and
you do not have a spare machine, pull the drive and put a new one in and
restore from backup. Document everything you do but do not use the saved
drive if there is the slightest possibility of the need to go beyond your
initial examination.

 

From: Jonathan [mailto:ncm...@gmail.com] 
Sent: Thursday, June 09, 2011 11:49 AM
To: NT System Admin Issues
Subject: Re: RE: RE: RE: windows 7 forensics

 

Turns out we have a lawyer on the executive team. My instructions are to
clone and go from there.

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:37 PM, "John Cook"  wrote:
> Get it in writing for CYA.
> 
> From: Jonathan [mailto:ncm...@gmail.com]
> Sent: Thursday, June 09, 2011 2:15 PM
> To: NT System Admin Issues
> Subject: Re: RE: RE: windows 7 forensics
> 
> 
> understand and agree. However, if the boss says, "do it anyway," what
approach would you use?
> 
> Jonathan A+, MCSA, MCSE
> 
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
> 
> On Jun 9, 2011 2:07 PM, "John Cook"
mailto:john.c...@pfsf.org>> wrote:
>> Honestly, I would (if possible) pull the machine out from under the user
(make up some excuse about warranty issue or something) wrap it in tape so
the case can't be cracked and have someone sign it and date it for future
reference.
>>
>> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
>> Sent: Thursday, June 09, 2011 1:56 PM
>> To: NT System Admin Issues
>> Subject: Re: RE: windows 7 forensics
>>
>>
>> Good points from all of you. I don't know that a third party will be
brought in at all, but want to be prepared in case it does turn into
something bigger, which is why I asked the list.
>>
>> What would you guys recommend for cloning for this purpose? The last
thing I used was Ghost, but have used dfsee and others...
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
>>
>> On Jun 9, 2011 1:45 PM, "John Cook"
mailto:john.c...@pfsf.org><mailto:john.c...@pfsf.org>> wrote:
>>> The second you log on as an Admin files have changed. If there are Legal
discoveries then the evidence is tainted. Forensic specialists clone the HD
with a special setup and do discovery on the clone thus preserving the
original for evidence.
>>>
>>> From: Jonathan Link
[mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com><mailto:jonat
han.l...@gmail.com<mailto:jonathan.l...@gmail.com>>]
>>> Sent: Thursday, June 09, 2011 1:31 PM
>>> To: NT System Admin Issues
>>> Subject: Re: windows 7 forensics
>>>
>>> Some alarm bells are going off. If there's a professional service
involved, why are you doing anything? Have you asked them what they would
suggest so you could do your own analysis?
>>>
>>>
>>>
>>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan
mailto:ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:nc
m...@gmail.com>><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com><mailto:ncm
c...@gmail.com<mailto:ncm...@gmail.com>>>> wrote:
>>>
>>> for those of you you do not have content filtering in place, when
someone asks you to analyze a computer to figure out where they've been what
software to use?
>>>
>>> I've used iehist to examine index.dat files but I'm wondering if there
is anything better thats come out since I haven't done this in a year or
two.
>>>
>>> free is preferable, but I need to be able to preserve the system as it
is for potential "professional" forensic analysis in addition to my own
analysis.
>>>
>>> Jonathan A+, MCSA, MCSE
>>>
>>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>>
>&

Re: RE: RE: RE: windows 7 forensics

2011-06-09 Thread Jonathan Link 
Still get it in writing...



On Thu, Jun 9, 2011 at 2:48 PM, Jonathan  wrote:

> Turns out we have a lawyer on the executive team. My instructions are to
> clone and go from there.
>
> Jonathan A+, MCSA, MCSE
>
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
> Verizon network. Please excuse brevity and any misspellings.
>
> On Jun 9, 2011 2:37 PM, "John Cook"  wrote:
> > Get it in writing for CYA.
> >
> > From: Jonathan [mailto:ncm...@gmail.com]
> > Sent: Thursday, June 09, 2011 2:15 PM
> > To: NT System Admin Issues
> > Subject: Re: RE: RE: windows 7 forensics
> >
> >
> > understand and agree. However, if the boss says, "do it anyway," what
> approach would you use?
> >
> > Jonathan A+, MCSA, MCSE
> >
> > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
> Verizon network. Please excuse brevity and any misspellings.
> >
> > On Jun 9, 2011 2:07 PM, "John Cook"  john.c...@pfsf.org>> wrote:
> >> Honestly, I would (if possible) pull the machine out from under the user
> (make up some excuse about warranty issue or something) wrap it in tape so
> the case can't be cracked and have someone sign it and date it for future
> reference.
> >>
> >> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
>
> >> Sent: Thursday, June 09, 2011 1:56 PM
> >> To: NT System Admin Issues
> >> Subject: Re: RE: windows 7 forensics
> >>
> >>
> >> Good points from all of you. I don't know that a third party will be
> brought in at all, but want to be prepared in case it does turn into
> something bigger, which is why I asked the list.
> >>
> >> What would you guys recommend for cloning for this purpose? The last
> thing I used was Ghost, but have used dfsee and others...
> >>
> >> Jonathan A+, MCSA, MCSE
> >>
> >> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
> Verizon network. Please excuse brevity and any misspellings.
> >>
> >> On Jun 9, 2011 1:45 PM, "John Cook"  john.c...@pfsf.org><mailto:john.c...@pfsf.org<mailto:john.c...@pfsf.org>>>
> wrote:
> >>> The second you log on as an Admin files have changed. If there are
> Legal discoveries then the evidence is tainted. Forensic specialists clone
> the HD with a special setup and do discovery on the clone thus preserving
> the original for evidence.
> >>>
> >>> From: Jonathan Link [mailto:jonathan.l...@gmail.com jonathan.l...@gmail.com><mailto:jonathan.l...@gmail.com jonathan.l...@gmail.com>>]
>
> >>> Sent: Thursday, June 09, 2011 1:31 PM
> >>> To: NT System Admin Issues
> >>> Subject: Re: windows 7 forensics
> >>>
> >>> Some alarm bells are going off. If there's a professional service
> involved, why are you doing anything? Have you asked them what they would
> suggest so you could do your own analysis?
> >>>
> >>>
> >>>
> >>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan  ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com
> >><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com> ncm...@gmail.com<mailto:ncm...@gmail.com>>>> wrote:
> >>>
> >>> for those of you you do not have content filtering in place, when
> someone asks you to analyze a computer to figure out where they've been what
> software to use?
> >>>
> >>> I've used iehist to examine index.dat files but I'm wondering if there
> is anything better thats come out since I haven't done this in a year or
> two.
> >>>
> >>> free is preferable, but I need to be able to preserve the system as it
> is for potential "professional" forensic analysis in addition to my own
> analysis.
> >>>
> >>> Jonathan A+, MCSA, MCSE
> >>>
> >>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
> Verizon network. Please excuse brevity and any misspellings.
> >>>
> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
> >>>
> >>> ---
> >>> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> >>> or send an email to listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com> listmana...@lyris.sunbeltsoftware.com listmana...@l

Re: RE: RE: RE: windows 7 forensics

2011-06-09 Thread Jonathan 
Turns out we have a lawyer on the executive team. My instructions are to
clone and go from there.

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:37 PM, "John Cook"  wrote:
> Get it in writing for CYA.
>
> From: Jonathan [mailto:ncm...@gmail.com]
> Sent: Thursday, June 09, 2011 2:15 PM
> To: NT System Admin Issues
> Subject: Re: RE: RE: windows 7 forensics
>
>
> understand and agree. However, if the boss says, "do it anyway," what
approach would you use?
>
> Jonathan A+, MCSA, MCSE
>
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
>
> On Jun 9, 2011 2:07 PM, "John Cook" > wrote:
>> Honestly, I would (if possible) pull the machine out from under the user
(make up some excuse about warranty issue or something) wrap it in tape so
the case can't be cracked and have someone sign it and date it for future
reference.
>>
>> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
>> Sent: Thursday, June 09, 2011 1:56 PM
>> To: NT System Admin Issues
>> Subject: Re: RE: windows 7 forensics
>>
>>
>> Good points from all of you. I don't know that a third party will be
brought in at all, but want to be prepared in case it does turn into
something bigger, which is why I asked the list.
>>
>> What would you guys recommend for cloning for this purpose? The last
thing I used was Ghost, but have used dfsee and others...
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
>>
>> On Jun 9, 2011 1:45 PM, "John Cook" <mailto:john.c...@pfsf.org<mailto:john.c...@pfsf.org>>>
wrote:
>>> The second you log on as an Admin files have changed. If there are Legal
discoveries then the evidence is tainted. Forensic specialists clone the HD
with a special setup and do discovery on the clone thus preserving the
original for evidence.
>>>
>>> From: Jonathan Link [mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>]
>>> Sent: Thursday, June 09, 2011 1:31 PM
>>> To: NT System Admin Issues
>>> Subject: Re: windows 7 forensics
>>>
>>> Some alarm bells are going off. If there's a professional service
involved, why are you doing anything? Have you asked them what they would
suggest so you could do your own analysis?
>>>
>>>
>>>
>>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan <mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>>mailto:ncm...@gmail.com><mailto:ncm...@gmail.com>>> wrote:
>>>
>>> for those of you you do not have content filtering in place, when
someone asks you to analyze a computer to figure out where they've been what
software to use?
>>>
>>> I've used iehist to examine index.dat files but I'm wondering if there
is anything better thats come out since I haven't done this in a year or
two.
>>>
>>> free is preferable, but I need to be able to preserve the system as it
is for potential "professional" forensic analysis in addition to my own
analysis.
>>>
>>> Jonathan A+, MCSA, MCSE
>>>
>>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>>
>>> ---
>>> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com>>>
>>> with the body: unsubscribe ntsysadmin
>>>
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>>
>>> ---
>>> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com>>>
>>> with the body: unsubscribe ntsysadmin
>>>
>>> 
>>> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
attached to or with this Notice is intended only for the person or entity to
which it is addressed and may contain Protected Health Information (PHI),
confidential and/or priv

RE: RE: RE: windows 7 forensics

2011-06-09 Thread John Cook 
Get it in writing for CYA.

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Thursday, June 09, 2011 2:15 PM
To: NT System Admin Issues
Subject: Re: RE: RE: windows 7 forensics


understand and agree.  However, if the boss says, "do it anyway," what approach 
would you use?

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon 
network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:07 PM, "John Cook" 
mailto:john.c...@pfsf.org>> wrote:
> Honestly, I would (if possible) pull the machine out from under the user 
> (make up some excuse about warranty issue or something) wrap it in tape so 
> the case can't be cracked and have someone sign it and date it for future 
> reference.
>
> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
> Sent: Thursday, June 09, 2011 1:56 PM
> To: NT System Admin Issues
> Subject: Re: RE: windows 7 forensics
>
>
> Good points from all of you. I don't know that a third party will be brought 
> in at all, but want to be prepared in case it does turn into something 
> bigger, which is why I asked the list.
>
> What would you guys recommend for cloning for this purpose? The last thing I 
> used was Ghost, but have used dfsee and others...
>
> Jonathan A+, MCSA, MCSE
>
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the 
> Verizon network. Please excuse brevity and any misspellings.
>
> On Jun 9, 2011 1:45 PM, "John Cook" 
> mailto:john.c...@pfsf.org><mailto:john.c...@pfsf.org<mailto:john.c...@pfsf.org>>>
>  wrote:
>> The second you log on as an Admin files have changed. If there are Legal 
>> discoveries then the evidence is tainted. Forensic specialists clone the HD 
>> with a special setup and do discovery on the clone thus preserving the 
>> original for evidence.
>>
>> From: Jonathan Link 
>> [mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com><mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>>]
>> Sent: Thursday, June 09, 2011 1:31 PM
>> To: NT System Admin Issues
>> Subject: Re: windows 7 forensics
>>
>> Some alarm bells are going off. If there's a professional service involved, 
>> why are you doing anything? Have you asked them what they would suggest so 
>> you could do your own analysis?
>>
>>
>>
>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan 
>> mailto:ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>>>>
>>  wrote:
>>
>> for those of you you do not have content filtering in place, when someone 
>> asks you to analyze a computer to figure out where they've been what 
>> software to use?
>>
>> I've used iehist to examine index.dat files but I'm wondering if there is 
>> anything better thats come out since I haven't done this in a year or two.
>>
>> free is preferable, but I need to be able to preserve the system as it is 
>> for potential "professional" forensic analysis in addition to my own 
>> analysis.
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the 
>> Verizon network. Please excuse brevity and any misspellings.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to 
>> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>>>
>> with the body: unsubscribe ntsysadmin
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to 
>> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>><mailto:list

RE: RE: RE: windows 7 forensics

2011-06-09 Thread Guyer, Don 
x2

 

In the past when I was approached about doing this type of
"investigating", I made sure someone "else" was able to access the
system to do the investigating (HR or a superior).

 

I never agree(d) to do this stuff myself and was never "forced" to do so
or reprimanded in any way.

 

Don Guyer

Windows Systems Engineer

RIM Operations Engineering Distributed - A Team, Tier 2

Enterprise Technology Group

Fiserv

don.gu...@fiserv.com

Office: 1-800-523-7282 x 1673

Fax: 610-233-0404

www.fiserv.com <http://www.fiserv.com/> 

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Thursday, June 09, 2011 2:24 PM
To: NT System Admin Issues
Subject: Re: RE: RE: windows 7 forensics

 

I would beg him to contact a lawyer before proceeding.  If that doesn't
get anywhere, I'd ask for a signed letter indemnifying me of
responsibility should this proceed to litigation.
First thing is to tell the boss that this is not a technical problem.
It is a legal issue.  A legal issue that requires some technical
assistance, but it is a matter of discovery, and that is a LEGAL
process, not a technical one.

 

 

On Thu, Jun 9, 2011 at 2:15 PM, Jonathan  wrote:

understand and agree.  However, if the boss says, "do it anyway," what
approach would you use?

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:07 PM, "John Cook"  wrote:
> Honestly, I would (if possible) pull the machine out from under the
user (make up some excuse about warranty issue or something) wrap it in
tape so the case can't be cracked and have someone sign it and date it
for future reference.
> 
> From: Jonathan [mailto:ncm...@gmail.com]
> Sent: Thursday, June 09, 2011 1:56 PM
> To: NT System Admin Issues
> Subject: Re: RE: windows 7 forensics
> 
> 
> Good points from all of you. I don't know that a third party will be
brought in at all, but want to be prepared in case it does turn into
something bigger, which is why I asked the list.
> 
> What would you guys recommend for cloning for this purpose? The last
thing I used was Ghost, but have used dfsee and others...
> 
> Jonathan A+, MCSA, MCSE
> 
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on
the Verizon network. Please excuse brevity and any misspellings.
> 

> On Jun 9, 2011 1:45 PM, "John Cook"
mailto:john.c...@pfsf.org>> wrote:
>> The second you log on as an Admin files have changed. If there are
Legal discoveries then the evidence is tainted. Forensic specialists
clone the HD with a special setup and do discovery on the clone thus
preserving the original for evidence.
>>

>> From: Jonathan Link
[mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>]


>> Sent: Thursday, June 09, 2011 1:31 PM
>> To: NT System Admin Issues
>> Subject: Re: windows 7 forensics
>>
>> Some alarm bells are going off. If there's a professional service
involved, why are you doing anything? Have you asked them what they
would suggest so you could do your own analysis?
>>
>>
>>

>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan
mailto:ncm...@gmail.com><mailto:ncm...@gmail.com>> wrote:
>>
>> for those of you you do not have content filtering in place, when
someone asks you to analyze a computer to figure out where they've been
what software to use?
>>
>> I've used iehist to examine index.dat files but I'm wondering if
there is anything better thats come out since I haven't done this in a
year or two.
>>
>> free is preferable, but I need to be able to preserve the system as
it is for potential "professional" forensic analysis in addition to my
own analysis.
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on
the Verizon network. Please excuse brevity and any misspellings.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/

>> or send an email to
listmana...@lyris.sunbeltsoftware.com<mailto:listmanager@lyris.sunbeltso
ftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana
g...@lyris.sunbeltsoftware.com>>


>> with the body: unsubscribe ntsysadmin
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here:
http://lyris.sunbelt-softwar

RE: RE: RE: windows 7 forensics

2011-06-09 Thread Ziots, Edward 
Sector by Sector image, and again as Robert said write-protections
should be in place, unless your want a lawyer basically shooting a big
hole in your chain of evidence/custody that is required to even get the
evidence in a court of law.  Best to leave the Forensics to a reputable
out-sourced company that does it all the time. ( They have the tools,
and experience in dealing with chain of evidence,  proper techniques,
and going to court to explain what they have found and how its material
to the case)

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, June 09, 2011 2:22 PM
To: NT System Admin Issues
Subject: RE: RE: RE: windows 7 forensics

 

Boot it from a CD and image it then do your poking around.

 

From: Jonathan [mailto:ncm...@gmail.com] 
Sent: Thursday, June 09, 2011 2:15 PM
To: NT System Admin Issues
Subject: Re: RE: RE: windows 7 forensics

 

understand and agree.  However, if the boss says, "do it anyway," what
approach would you use?

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:07 PM, "John Cook"  wrote:
> Honestly, I would (if possible) pull the machine out from under the
user (make up some excuse about warranty issue or something) wrap it in
tape so the case can't be cracked and have someone sign it and date it
for future reference.
> 
> From: Jonathan [mailto:ncm...@gmail.com]
> Sent: Thursday, June 09, 2011 1:56 PM
> To: NT System Admin Issues
> Subject: Re: RE: windows 7 forensics
> 
> 
> Good points from all of you. I don't know that a third party will be
brought in at all, but want to be prepared in case it does turn into
something bigger, which is why I asked the list.
> 
> What would you guys recommend for cloning for this purpose? The last
thing I used was Ghost, but have used dfsee and others...
> 
> Jonathan A+, MCSA, MCSE
> 
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on
the Verizon network. Please excuse brevity and any misspellings.
> 
> On Jun 9, 2011 1:45 PM, "John Cook" > wrote:
>> The second you log on as an Admin files have changed. If there are
Legal discoveries then the evidence is tainted. Forensic specialists
clone the HD with a special setup and do discovery on the clone thus
preserving the original for evidence.
>>
>> From: Jonathan Link [mailto:jonathan.l...@gmail.com]
>> Sent: Thursday, June 09, 2011 1:31 PM
>> To: NT System Admin Issues
>> Subject: Re: windows 7 forensics
>>
>> Some alarm bells are going off. If there's a professional service
involved, why are you doing anything? Have you asked them what they
would suggest so you could do your own analysis?
>>
>>
>>
>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan <mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>>>
wrote:
>>
>> for those of you you do not have content filtering in place, when
someone asks you to analyze a computer to figure out where they've been
what software to use?
>>
>> I've used iehist to examine index.dat files but I'm wondering if
there is anything better thats come out since I haven't done this in a
year or two.
>>
>> free is preferable, but I need to be able to preserve the system as
it is for potential "professional" forensic analysis in addition to my
own analysis.
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on
the Verizon network. Please excuse brevity and any misspellings.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com>
>> with the body: unsubscribe ntsysadmin
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com>
>> with the body: unsubscribe ntsysadmin
>>
>> 
>> CONFIDENTIALITY STATEMENT: The information transmitted, or contained
or attached to or with this Notice is intended only for the person or
entity to which it is addressed and may contain Protected Health
Info

Re: RE: RE: windows 7 forensics

2011-06-09 Thread Jonathan Link 
I would beg him to contact a lawyer before proceeding.  If that doesn't get
anywhere, I'd ask for a signed letter indemnifying me of responsibility
should this proceed to litigation.
First thing is to tell the boss that this is not a technical problem.  It is
a legal issue.  A legal issue that requires some technical assistance, but
it is a matter of discovery, and that is a LEGAL process, not a technical
one.


On Thu, Jun 9, 2011 at 2:15 PM, Jonathan  wrote:

> understand and agree.  However, if the boss says, "do it anyway," what
> approach would you use?
>
> Jonathan A+, MCSA, MCSE
>
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
> Verizon network. Please excuse brevity and any misspellings.
>
> On Jun 9, 2011 2:07 PM, "John Cook"  wrote:
> > Honestly, I would (if possible) pull the machine out from under the user
> (make up some excuse about warranty issue or something) wrap it in tape so
> the case can't be cracked and have someone sign it and date it for future
> reference.
> >
> > From: Jonathan [mailto:ncm...@gmail.com]
> > Sent: Thursday, June 09, 2011 1:56 PM
> > To: NT System Admin Issues
> > Subject: Re: RE: windows 7 forensics
> >
> >
> > Good points from all of you. I don't know that a third party will be
> brought in at all, but want to be prepared in case it does turn into
> something bigger, which is why I asked the list.
> >
> > What would you guys recommend for cloning for this purpose? The last
> thing I used was Ghost, but have used dfsee and others...
> >
> > Jonathan A+, MCSA, MCSE
> >
> > Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
> Verizon network. Please excuse brevity and any misspellings.
> >
> > On Jun 9, 2011 1:45 PM, "John Cook"  john.c...@pfsf.org>> wrote:
> >> The second you log on as an Admin files have changed. If there are Legal
> discoveries then the evidence is tainted. Forensic specialists clone the HD
> with a special setup and do discovery on the clone thus preserving the
> original for evidence.
> >>
> >> From: Jonathan Link [mailto:jonathan.l...@gmail.com jonathan.l...@gmail.com>]
>
> >> Sent: Thursday, June 09, 2011 1:31 PM
> >> To: NT System Admin Issues
> >> Subject: Re: windows 7 forensics
> >>
> >> Some alarm bells are going off. If there's a professional service
> involved, why are you doing anything? Have you asked them what they would
> suggest so you could do your own analysis?
> >>
> >>
> >>
> >> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan  ncm...@gmail.com>>>
> wrote:
> >>
> >> for those of you you do not have content filtering in place, when
> someone asks you to analyze a computer to figure out where they've been what
> software to use?
> >>
> >> I've used iehist to examine index.dat files but I'm wondering if there
> is anything better thats come out since I haven't done this in a year or
> two.
> >>
> >> free is preferable, but I need to be able to preserve the system as it
> is for potential "professional" forensic analysis in addition to my own
> analysis.
> >>
> >> Jonathan A+, MCSA, MCSE
> >>
> >> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
> Verizon network. Please excuse brevity and any misspellings.
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> ~  ~
> >>
> >> ---
> >> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> >> or send an email to listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com> listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com>>
>
> >> with the body: unsubscribe ntsysadmin
> >>
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> ~  ~
> >>
> >> ---
> >> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> >> or send an email to listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com> listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com>>
>
> >> with the body: unsubscribe ntsysadmin
> >>
> >> 
> >> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
> attached to or with this Notice is intended only for the person or entity to
> which it is addressed and may contain Protected Health Information (PHI),
> confidential and/or privileged material. Any review, transmission,
> dissemination, or other use of, and taking any action in reliance upon this
> information by persons or entities other than the intended recipient without
> the express written consent of the sender are prohibited. This information
> may be protected by the Health Insurance Portability and Accountability Act
> of 1996 (HIPAA), and other Federal and Florida laws. Improper or
> unauthorized use or disclosure of this information could resul

RE: RE: RE: windows 7 forensics

2011-06-09 Thread Kennedy, Jim 
Boot it from a CD and image it then do your poking around.

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Thursday, June 09, 2011 2:15 PM
To: NT System Admin Issues
Subject: Re: RE: RE: windows 7 forensics


understand and agree.  However, if the boss says, "do it anyway," what approach 
would you use?

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon 
network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:07 PM, "John Cook" 
mailto:john.c...@pfsf.org>> wrote:
> Honestly, I would (if possible) pull the machine out from under the user 
> (make up some excuse about warranty issue or something) wrap it in tape so 
> the case can't be cracked and have someone sign it and date it for future 
> reference.
>
> From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
> Sent: Thursday, June 09, 2011 1:56 PM
> To: NT System Admin Issues
> Subject: Re: RE: windows 7 forensics
>
>
> Good points from all of you. I don't know that a third party will be brought 
> in at all, but want to be prepared in case it does turn into something 
> bigger, which is why I asked the list.
>
> What would you guys recommend for cloning for this purpose? The last thing I 
> used was Ghost, but have used dfsee and others...
>
> Jonathan A+, MCSA, MCSE
>
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the 
> Verizon network. Please excuse brevity and any misspellings.
>
> On Jun 9, 2011 1:45 PM, "John Cook" 
> mailto:john.c...@pfsf.org><mailto:john.c...@pfsf.org<mailto:john.c...@pfsf.org>>>
>  wrote:
>> The second you log on as an Admin files have changed. If there are Legal 
>> discoveries then the evidence is tainted. Forensic specialists clone the HD 
>> with a special setup and do discovery on the clone thus preserving the 
>> original for evidence.
>>
>> From: Jonathan Link 
>> [mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com><mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>>]
>> Sent: Thursday, June 09, 2011 1:31 PM
>> To: NT System Admin Issues
>> Subject: Re: windows 7 forensics
>>
>> Some alarm bells are going off. If there's a professional service involved, 
>> why are you doing anything? Have you asked them what they would suggest so 
>> you could do your own analysis?
>>
>>
>>
>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan 
>> mailto:ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com><mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>>>>
>>  wrote:
>>
>> for those of you you do not have content filtering in place, when someone 
>> asks you to analyze a computer to figure out where they've been what 
>> software to use?
>>
>> I've used iehist to examine index.dat files but I'm wondering if there is 
>> anything better thats come out since I haven't done this in a year or two.
>>
>> free is preferable, but I need to be able to preserve the system as it is 
>> for potential "professional" forensic analysis in addition to my own 
>> analysis.
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the 
>> Verizon network. Please excuse brevity and any misspellings.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to 
>> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>>>
>> with the body: unsubscribe ntsysadmin
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to 
>> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsof

Re: RE: RE: windows 7 forensics

2011-06-09 Thread Jonathan 
understand and agree.  However, if the boss says, "do it anyway," what
approach would you use?

Jonathan A+, MCSA, MCSE

Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.

On Jun 9, 2011 2:07 PM, "John Cook"  wrote:
> Honestly, I would (if possible) pull the machine out from under the user
(make up some excuse about warranty issue or something) wrap it in tape so
the case can't be cracked and have someone sign it and date it for future
reference.
>
> From: Jonathan [mailto:ncm...@gmail.com]
> Sent: Thursday, June 09, 2011 1:56 PM
> To: NT System Admin Issues
> Subject: Re: RE: windows 7 forensics
>
>
> Good points from all of you. I don't know that a third party will be
brought in at all, but want to be prepared in case it does turn into
something bigger, which is why I asked the list.
>
> What would you guys recommend for cloning for this purpose? The last thing
I used was Ghost, but have used dfsee and others...
>
> Jonathan A+, MCSA, MCSE
>
> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
>
> On Jun 9, 2011 1:45 PM, "John Cook" > wrote:
>> The second you log on as an Admin files have changed. If there are Legal
discoveries then the evidence is tainted. Forensic specialists clone the HD
with a special setup and do discovery on the clone thus preserving the
original for evidence.
>>
>> From: Jonathan Link [mailto:jonathan.l...@gmail.com]
>> Sent: Thursday, June 09, 2011 1:31 PM
>> To: NT System Admin Issues
>> Subject: Re: windows 7 forensics
>>
>> Some alarm bells are going off. If there's a professional service
involved, why are you doing anything? Have you asked them what they would
suggest so you could do your own analysis?
>>
>>
>>
>> On Thu, Jun 9, 2011 at 1:24 PM, Jonathan >> wrote:
>>
>> for those of you you do not have content filtering in place, when someone
asks you to analyze a computer to figure out where they've been what
software to use?
>>
>> I've used iehist to examine index.dat files but I'm wondering if there is
anything better thats come out since I haven't done this in a year or two.
>>
>> free is preferable, but I need to be able to preserve the system as it is
for potential "professional" forensic analysis in addition to my own
analysis.
>>
>> Jonathan A+, MCSA, MCSE
>>
>> Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the
Verizon network. Please excuse brevity and any misspellings.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~  ~
>>
>> ---
>> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com>
>> with the body: unsubscribe ntsysadmin
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~  ~
>>
>> ---
>> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com>
>> with the body: unsubscribe ntsysadmin
>>
>> 
>> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
attached to or with this Notice is intended only for the person or entity to
which it is addressed and may contain Protected Health Information (PHI),
confidential and/or privileged material. Any review, transmission,
dissemination, or other use of, and taking any action in reliance upon this
information by persons or entities other than the intended recipient without
the express written consent of the sender are prohibited. This information
may be protected by the Health Insurance Portability and Accountability Act
of 1996 (HIPAA), and other Federal and Florida laws. Improper or
unauthorized use or disclosure of this information could result in civil
and/or criminal penalties.
>> Consider the environment. Please don't print this e-mail unless you
really need to.
>>
>> This email and any attached files are confidential and intended solely
for the intended recipient(s). If you are not the named recipient you should
not read, distribute, copy or alter this email. Any views or opinions
expressed in this email are those of the author and do not represent those
of the company. Warning: Although precautions have been taken to make sure
no viruses are present in this email, the company cannot accept
responsibility for any loss or damage that arise from the use of this email
or attachments.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~  ~
>>
>> ---
>> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with