Re: windows 7 forensics
On Wed, Jun 15, 2011 at 5:14 PM, Jonathan ncm...@gmail.com wrote: As for creating a forensically sound image, the best are supposedly FTK Imager, from Access Data Products, and EnCase (mentioned by Art DeKneef earlier in this thread) from Guidance Software ... The classic *nix tool dd will do a perfectly fine job at creating an image. (Bytes is bytes.) It's even been ported to Windows, although I don't know if it will work on a hard drive. (Windows tends to automatically mount (and thus lock) anything it recognizes.) The real trouble is Windows doesn't have a loopback block device. This is the facility in Linux that lets you take a file and treat it as a block device, which can in turn be mounted as a filesystem. (Also useful with floppies and CDs.) Hence the need for third-party tools for that on Windows. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: windows 7 forensics
On 9 Jun 2011 at 18:42, Ben Scott wrote: If you want to use MS Windows, they sell these devices that plug between the hard drive and the host adapter, and block all write commands, making the drive effectively read-only. I think I would want to use one of these anyway. Got a link or a good Google string to tell us where we can get one of these? They might be very useful ... -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: windows 7 forensics
If USB drives are all you need to examine, you can do it for free with a single registry entry. http://motersho.com/blog/index.php/2010/02/15/howto-set-usb-drive-to-read-only-windows-xpvista7/ On Wed, Jun 15, 2011 at 1:25 PM, Angus Scott-Fleming angu...@geoapps.comwrote: On 9 Jun 2011 at 18:42, Ben Scott wrote: If you want to use MS Windows, they sell these devices that plug between the hard drive and the host adapter, and block all write commands, making the drive effectively read-only. I think I would want to use one of these anyway. Got a link or a good Google string to tell us where we can get one of these? They might be very useful ... -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: windows 7 forensics
This is true - there is a registry setting that will prevent USB writes from within Windows, but that CAN be unreliable. Also, it is an all or nothing setting for USB devices - not ideal. Besides,the OS isn't the only thing capable of writing to a drive I've learned a lot in the past week about this subject, largely in part to the answers and suggestions provided on this thread. If you want to be sure, you need a hardware write protector. Tableau makes such a device, called a Forensic Bridge. You can get them in multiple flavors - IDE, SATA USB, SCSI, SAS, Firewire... http://www.tableau.com/index.php?pageid=productsmodel=T35es http://www.tableau.com/index.php?pageid=productsmodel=T8-R2 The ones I have looked at are about $300 to $450 each. As for creating a forensically sound image, the best are supposedly FTK Imager, from Access Data Products, and EnCase (mentioned by Art DeKneef earlier in this thread) from Guidance Software: http://accessdata.com/support/adownloads#FTKImager http://www.guidancesoftware.com/ For either, you would need a tool to be able to read the raw image file created by EnCase or FTK Imager, as (from what I understand) it is not natively searchable in Windows. I want to play around with SIFT mentioned by Joe Tinney earlier in this thread, but haven't had a chance yet. Life, wife, kids, %work%you know the drill. Cheers, Jonathan, A+, MCSA, MCSE On Wed, Jun 15, 2011 at 1:52 PM, Richard Stovall rich...@gmail.com wrote: If USB drives are all you need to examine, you can do it for free with a single registry entry. http://motersho.com/blog/index.php/2010/02/15/howto-set-usb-drive-to-read-only-windows-xpvista7/ On Wed, Jun 15, 2011 at 1:25 PM, Angus Scott-Fleming angu...@geoapps.comwrote: On 9 Jun 2011 at 18:42, Ben Scott wrote: If you want to use MS Windows, they sell these devices that plug between the hard drive and the host adapter, and block all write commands, making the drive effectively read-only. I think I would want to use one of these anyway. Got a link or a good Google string to tell us where we can get one of these? They might be very useful ... -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: RE: windows 7 forensics
On Thu, Jun 9, 2011 at 8:43 PM, Jonathan ncm...@gmail.com wrote: ... avoid MS Windows, as it has a tendency to want to write to the disk ... Me, I'd boot a rescue Linux system ... devices that plug between the hard drive and the host adapter, and block all write commands ... Next question - what about USB flash drive forensics? Basically the same. Make an image. Make sure nothing writes to the original. I don't know if write blocking devices for USB flash drives exist on the market, but technologically there's no reason they couldn't. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: RE: windows 7 forensics
I don't know if write blocking devices for USB flash drives exist on the market, but technologically there's no reason they couldn't. Yes, they do. http://www.siliconforensics.com/ps-135-2-read-only-write-protect-usb-media-card-reader.aspx *ASB *(Professional Bio http://about.me/Andrew.S.Baker/bio) Harnessing the Advantages of Technology for the SMB market... On Fri, Jun 10, 2011 at 7:33 AM, Ben Scott mailvor...@gmail.com wrote: On Thu, Jun 9, 2011 at 8:43 PM, Jonathan ncm...@gmail.com wrote: ... avoid MS Windows, as it has a tendency to want to write to the disk ... Me, I'd boot a rescue Linux system ... devices that plug between the hard drive and the host adapter, and block all write commands ... Next question - what about USB flash drive forensics? Basically the same. Make an image. Make sure nothing writes to the original. I don't know if write blocking devices for USB flash drives exist on the market, but technologically there's no reason they couldn't. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: RE: RE: windows 7 forensics
I've used and had fantastic results using the SIFT workstation from SANS Institute: http://computer-forensics.sans.org/community/downloads/ I take a DD image of the drive and then develop a SUPER Timeline: http://computer-forensics.sans.org/blog/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/ Works great and the end result is a massive CSV file of all activity - NTFS, web, recent process launches, etc and it is all time-sequenced. I've done this to track down where and when malware entry occurred on the system. Good luck! From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT
Re: windows 7 forensics
Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: windows 7 forensics
+1 If you need to preserve for a professional you need them to tell you how to do it in conjunction with the lawyers that might be involved. They may very well tell you first thing to do is image it. I was an 'expert' witness in a sexual harassment case that the company lost badly because they did not properly preserve the original computer in question. As soon as I pointed that out the judge slammed the defense from the bench, it was all over. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: windows 7 forensics
The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: windows 7 forensics
Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: RE: windows 7 forensics
Built-in backup program. Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com http://www.fiserv.com/ From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltso ftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltso ftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Re: RE: windows 7 forensics
If there's a chance it turns into something bigger, I'd hold off doing anything. I'd unplug the computer and lock it in a safe and leave it alone. I'd talk to your superiors about being able to maintain the integrity of the machine being paramount if they think that this will involve litigation or be referred for criminal prosecution. Once you have authoritative guidance on what you're allowed to do I'd do it. Even if it means you have to pay the professional for a clone you can access, I think that it would be worth it. On Thu, Jun 9, 2011 at 1:55 PM, Jonathan ncm...@gmail.com wrote: Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe
Re: RE: windows 7 forensics
Just say no. To do this properly you cannot boot from that drive. A proper forensic image is taken by placing the disk in another machine with adequate write protection in place. Once the image is taken the original is placed in secure storage. If you do anything, and it goes to a legal matter, a good lawyer will demonstrate that there was no proper chain of custody established, that good examination techniques were not used, and the case will likely be over then and there. On Thu, Jun 9, 2011 at 1:55 PM, Jonathan ncm...@gmail.com wrote: Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security
RE: RE: windows 7 forensics
Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Re: RE: RE: windows 7 forensics
understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint
RE: RE: RE: windows 7 forensics
Boot it from a CD and image it then do your poking around. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may
Re: RE: RE: windows 7 forensics
I would beg him to contact a lawyer before proceeding. If that doesn't get anywhere, I'd ask for a signed letter indemnifying me of responsibility should this proceed to litigation. First thing is to tell the boss that this is not a technical problem. It is a legal issue. A legal issue that requires some technical assistance, but it is a matter of discovery, and that is a LEGAL process, not a technical one. On Thu, Jun 9, 2011 at 2:15 PM, Jonathan ncm...@gmail.com wrote: understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print
RE: RE: RE: windows 7 forensics
Sector by Sector image, and again as Robert said write-protections should be in place, unless your want a lawyer basically shooting a big hole in your chain of evidence/custody that is required to even get the evidence in a court of law. Best to leave the Forensics to a reputable out-sourced company that does it all the time. ( They have the tools, and experience in dealing with chain of evidence, proper techniques, and going to court to explain what they have found and how its material to the case) Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Thursday, June 09, 2011 2:22 PM To: NT System Admin Issues Subject: RE: RE: RE: windows 7 forensics Boot it from a CD and image it then do your poking around. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action
RE: RE: RE: windows 7 forensics
x2 In the past when I was approached about doing this type of investigating, I made sure someone else was able to access the system to do the investigating (HR or a superior). I never agree(d) to do this stuff myself and was never forced to do so or reprimanded in any way. Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com http://www.fiserv.com/ From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 2:24 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics I would beg him to contact a lawyer before proceeding. If that doesn't get anywhere, I'd ask for a signed letter indemnifying me of responsibility should this proceed to litigation. First thing is to tell the boss that this is not a technical problem. It is a legal issue. A legal issue that requires some technical assistance, but it is a matter of discovery, and that is a LEGAL process, not a technical one. On Thu, Jun 9, 2011 at 2:15 PM, Jonathan ncm...@gmail.com wrote: understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailt o:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltso ftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana g...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltso ftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana g...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected
RE: RE: RE: windows 7 forensics
Get it in writing for CYA. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance
Re: RE: RE: RE: windows 7 forensics
Turns out we have a lawyer on the executive team. My instructions are to clone and go from there. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:37 PM, John Cook john.c...@pfsf.org wrote: Get it in writing for CYA. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto: ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review
Re: RE: RE: RE: windows 7 forensics
Still get it in writing... On Thu, Jun 9, 2011 at 2:48 PM, Jonathan ncm...@gmail.com wrote: Turns out we have a lawyer on the executive team. My instructions are to clone and go from there. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:37 PM, John Cook john.c...@pfsf.org wrote: Get it in writing for CYA. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com mailto:ncm...@gmail.commailto:ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted
RE: RE: RE: RE: windows 7 forensics
There are a few forensic sites that will help guide you. There are a few software packages that have past court review to show that the original is not changed in any way when making an image. Encase comes in mind but there are others. Of course I can't remember them right now. A couple of them were open source packages. The other information given is good. If the user has to have a computer and you do not have a spare machine, pull the drive and put a new one in and restore from backup. Document everything you do but do not use the saved drive if there is the slightest possibility of the need to go beyond your initial examination. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 11:49 AM To: NT System Admin Issues Subject: Re: RE: RE: RE: windows 7 forensics Turns out we have a lawyer on the executive team. My instructions are to clone and go from there. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:37 PM, John Cook john.c...@pfsf.org wrote: Get it in writing for CYA. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.orgmai lto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto:jonat han.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:nc m...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.commailto:ncm c...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltsoftwa re.commailto:listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyri s.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.commailto: listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltsoftw are.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
RE: RE: windows 7 forensics
G4L is a good app... From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltsoftwa re.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmanager@lyris.sunbeltsoftwa re.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
Re: RE: RE: RE: windows 7 forensics
+1000 It's as easy as an email to the principals stating: - As discussed, I will be creating a cloned copy of drive with serial #xxx for use in our internal investigation. Please confirm that you want me to lock the original in the safe, or provide it to legal before I continue. Thanks! - *ASB *(Professional Bio http://about.me/Andrew.S.Baker/bio) Harnessing the Advantages of Technology for the SMB market... On Thu, Jun 9, 2011 at 2:52 PM, Jonathan Link jonathan.l...@gmail.comwrote: Still get it in writing... On Thu, Jun 9, 2011 at 2:48 PM, Jonathan ncm...@gmail.com wrote: Turns out we have a lawyer on the executive team. My instructions are to clone and go from there. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:37 PM, John Cook john.c...@pfsf.org wrote: Get it in writing for CYA. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 2:15 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics understand and agree. However, if the boss says, do it anyway, what approach would you use? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 2:07 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.org wrote: Honestly, I would (if possible) pull the machine out from under the user (make up some excuse about warranty issue or something) wrap it in tape so the case can't be cracked and have someone sign it and date it for future reference. From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 1:56 PM To: NT System Admin Issues Subject: Re: RE: windows 7 forensics Good points from all of you. I don't know that a third party will be brought in at all, but want to be prepared in case it does turn into something bigger, which is why I asked the list. What would you guys recommend for cloning for this purpose? The last thing I used was Ghost, but have used dfsee and others... Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 9, 2011 1:45 PM, John Cook john.c...@pfsf.orgmailto: john.c...@pfsf.orgmailto:john.c...@pfsf.orgmailto:john.c...@pfsf.org wrote: The second you log on as an Admin files have changed. If there are Legal discoveries then the evidence is tainted. Forensic specialists clone the HD with a special setup and do discovery on the clone thus preserving the original for evidence. From: Jonathan Link [mailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.commailto:jonathan.l...@gmail.commailto: jonathan.l...@gmail.com] Sent: Thursday, June 09, 2011 1:31 PM To: NT System Admin Issues Subject: Re: windows 7 forensics Some alarm bells are going off. If there's a professional service involved, why are you doing anything? Have you asked them what they would suggest so you could do your own analysis? On Thu, Jun 9, 2011 at 1:24 PM, Jonathan ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.commailto:ncm...@gmail.com mailto:ncm...@gmail.commailto:ncm...@gmail.commailto: ncm...@gmail.commailto:ncm...@gmail.com wrote: for those of you you do not have content filtering in place, when someone asks you to analyze a computer to figure out where they've been what software to use? I've used iehist to examine index.dat files but I'm wondering if there is anything better thats come out since I haven't done this in a year or two. free is preferable, but I need to be able to preserve the system as it is for potential professional forensic analysis in addition to my own analysis. Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: RE: windows 7 forensics
On Thu, Jun 9, 2011 at 2:15 PM, Jonathan ncm...@gmail.com wrote: understand and agree. However, if the boss says, do it anyway, what approach would you use? I would avoid MS Windows, as it has a tendency to want to write to the disk without asking. (Due to things like updating the MBR for various weird reasons (disk signatures, etc.), auto-mount of anything that looks like NTFS, etc.). Me, I'd boot a rescue Linux system (I like SysRescueCD) and use dd if=/dev/foo of=/mnt/bar/image, where foo is the source disk name and bar is a network server I'd mounted. Be warned that if you get the syntax wrong dd will happily overwrite your disk for you. if is input file, of is output file, not hard, just unforgiving. If you want to use MS Windows, they sell these devices that plug between the hard drive and the host adapter, and block all write commands, making the drive effectively read-only. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: RE: windows 7 forensics
Thanks again for the input. Next question - what about USB flash drive forensics? I briefly scanned the first part of this article, albeit form 2007 Would what you describe below still be valid for a USB flash drive? Thanks, Jonathan On Thu, Jun 9, 2011 at 6:42 PM, Ben Scott mailvor...@gmail.com wrote: On Thu, Jun 9, 2011 at 2:15 PM, Jonathan ncm...@gmail.com wrote: understand and agree. However, if the boss says, do it anyway, what approach would you use? I would avoid MS Windows, as it has a tendency to want to write to the disk without asking. (Due to things like updating the MBR for various weird reasons (disk signatures, etc.), auto-mount of anything that looks like NTFS, etc.). Me, I'd boot a rescue Linux system (I like SysRescueCD) and use dd if=/dev/foo of=/mnt/bar/image, where foo is the source disk name and bar is a network server I'd mounted. Be warned that if you get the syntax wrong dd will happily overwrite your disk for you. if is input file, of is output file, not hard, just unforgiving. If you want to use MS Windows, they sell these devices that plug between the hard drive and the host adapter, and block all write commands, making the drive effectively read-only. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: RE: windows 7 forensics
forgot to include the link: http://www.ssddfj.org/papers/SSDDFJ_V1_1_Bem_Huebner.pdf Jonathan On Thu, Jun 9, 2011 at 8:43 PM, Jonathan ncm...@gmail.com wrote: Thanks again for the input. Next question - what about USB flash drive forensics? I briefly scanned the first part of this article, albeit form 2007 Would what you describe below still be valid for a USB flash drive? Thanks, Jonathan On Thu, Jun 9, 2011 at 6:42 PM, Ben Scott mailvor...@gmail.com wrote: On Thu, Jun 9, 2011 at 2:15 PM, Jonathan ncm...@gmail.com wrote: understand and agree. However, if the boss says, do it anyway, what approach would you use? I would avoid MS Windows, as it has a tendency to want to write to the disk without asking. (Due to things like updating the MBR for various weird reasons (disk signatures, etc.), auto-mount of anything that looks like NTFS, etc.). Me, I'd boot a rescue Linux system (I like SysRescueCD) and use dd if=/dev/foo of=/mnt/bar/image, where foo is the source disk name and bar is a network server I'd mounted. Be warned that if you get the syntax wrong dd will happily overwrite your disk for you. if is input file, of is output file, not hard, just unforgiving. If you want to use MS Windows, they sell these devices that plug between the hard drive and the host adapter, and block all write commands, making the drive effectively read-only. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Jonathan, A+, MCSA, MCSE -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: RE: RE: windows 7 forensics
There are a lot of things to consider. The first being chain of custody, the pulling of the pc with 2 people, and then certifying that it hasn't been tampered with is your primary requirement. After that I would let the real boys handle it (3rd party/legal team etc) I went through something similar with a company who found an employee using aol with child porn videos (not for sale or anything I guess). The FBI came in and everything, and I learned a lot during that process (he went to jail for 10 years FWIW). They worked up a huge document discussing the file timestamps, the a/v, spyware, the temp file locations, the history of different video viewing apps in the registry. this was all done with a ghosted copy of the drive to preserve the original as evidence. From: Jonathan [mailto:ncm...@gmail.com] Sent: Thursday, June 09, 2011 8:44 PM To: NT System Admin Issues Subject: Re: RE: RE: windows 7 forensics forgot to include the link: http://www.ssddfj.org/papers/SSDDFJ_V1_1_Bem_Huebner.pdf Jonathan On Thu, Jun 9, 2011 at 8:43 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.com wrote: Thanks again for the input. Next question - what about USB flash drive forensics? I briefly scanned the first part of this article, albeit form 2007 Would what you describe below still be valid for a USB flash drive? Thanks, Jonathan On Thu, Jun 9, 2011 at 6:42 PM, Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com wrote: On Thu, Jun 9, 2011 at 2:15 PM, Jonathan ncm...@gmail.commailto:ncm...@gmail.com wrote: understand and agree. However, if the boss says, do it anyway, what approach would you use? I would avoid MS Windows, as it has a tendency to want to write to the disk without asking. (Due to things like updating the MBR for various weird reasons (disk signatures, etc.), auto-mount of anything that looks like NTFS, etc.). Me, I'd boot a rescue Linux system (I like SysRescueCD) and use dd if=/dev/foo of=/mnt/bar/image, where foo is the source disk name and bar is a network server I'd mounted. Be warned that if you get the syntax wrong dd will happily overwrite your disk for you. if is input file, of is output file, not hard, just unforgiving. If you want to use MS Windows, they sell these devices that plug between the hard drive and the host adapter, and block all write commands, making the drive effectively read-only. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Jonathan, A+, MCSA, MCSE -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin