RE: tools used to examine a computer

["Robinson, Sonja" <SRobinson () HIPUSA com>]

In any event a BITSTREAM copy should be taken of any drive prior to analysis
if that is possible.  There are times when it is not.  Harlan has some good
points on processes, servies and the like.  You want to document those
before you take down a machine (workstation or server)anyway if you are able
to.  In the case of a server, you may not be able to take it down.  In that
case there are processes and analysis you can do without takin git down.
Also, there are tools that CAN do bitsream copies on LIVE machines.  That
being said.  If you can't take it down and you want to copy across a network
you can do that.  It does not destroy chain of custody (which is the term we
should be using) and you are not corrupting your evidence.  You may change
an access date (I did not test this and don't have time at the moment) but
you still have your modification and creation dates which won't change.  In
addition if you are following proper forensic procedures, all of this should
be documented (incl date and time) so you can prove that you did the copy
but it didn't modify.  I've done it and it will hold up.  Why would I copy
an entire 100GB serve to get one 100MB user share?  I could but you need to
do a costbenefit analysis before you do. IE. Is what in free, swap and slack
space potentially of enough interst to me to warrant that review since
potentially that amount can be HUGE.  A workstation can be different since
I'm not sorting through other users stuff and I can basically attribute all
or most of the files to a particular user based on profiles (assuming
Windows OS).    Key is proper FORENSIC PROCESSES are followed.  If you can
document and you are not touching MODIFY or CREATION dates then you are
pretty much OK as long as you document properly.   

> -----Original Message-----
> From: Trevor Cushen [mailto:Trevor.Cushen () sysnet ie] 
> Sent: Wednesday, February 19, 2003 12:35 PM
> To: security-basics () securityfocus com
> Subject: RE: tools used to examine a computer
>
>
> DD is not copying.  Copying can change file properties as in 
> MAC details on the new system  or the destination.  The MAC 
> being changed is the problem.  The original email I was 
> answering didn't discuss documenting either or getting the 
> MD5 signature.  DD will give a bit by bit copy which will 
> give the same MD5 signatures and is handy if the machine 
> cannot be rebooted.  The disk should be cloned before 
> anything is done on the machine as in copying files or 
> anything.  The document I refered to gave a way of doing that 
> and is accepted by law enforcement once you have the MD5 signature.
>
> Trevor Cushen
> Sysnet Ltd
>
> www.sysnet.ie
> Tel: +353 1 2983000
> Fax: +353 1 2960499
>
>
>
> -----Original Message-----
> From: H C [mailto:keydet89 () yahoo com] 
> Sent: 18 February 2003 18:02
> To: Trevor Cushen
> Cc: security-basics () securityfocus com
> Subject: RE: tools used to examine a computer
>
>
> > Also on the point of copying files over the network
> > first, correct me if
> > I'm wrong but that damages the chain of evidence.
>
> Now so?  If one collects the necessary info (ie, MAC
> times, NTFS ADSs, permissions, full path, etc), hashes
> the file (MD5 and/or SHA-1), and then copies the file
> over the network using something like 'dd' or type,
> and netcat/cryptcat, how is the chain of evidence
> broken?  Especially if it's documented?
>
> > Have a look at the
> > link below, goes about it a bit long winded but
> > essentially shows how to
> > clone a hard drive over a network connection.  This
> > can be done with
> > Windows machines as DD and Netcat can be run from
> > floppy on a Windows machine.
>
> I'm not sure what you're getting at...first you make a 
> reference to breaking the chain of evidence by copying a 
> file, but then you talk about cloning an os over the network 
> using dd and netcat.  Wouldn't doing so also break your chain 
> of evidence, if your reasoning is to hold?
>
>   
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Shopping - Send Flowers for Valentine's Day 
http://shopping.yahoo.com




****************************************************************************
**********

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

****************************************************************************
**********


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************