RE: tools used to examine a computer

[H C <keydet89 () yahoo com>]

> ...good points on processes, servies and the like. 
You
> want to document those before you take down a
machine 
> (workstation or server)anyway if you are able to.

Again, it's quite easy to document this sort of thing,
was well as a wide range of other data...it all simply
has to be part of the methodology.  Other areas of
interest may include command history, clipboard
contents, drivers (and their state), etc.  Other
non-volatile items that you may want to document prior
to shut down include Registry key values, Registry key
LastWrite times, etc. 

> It does not destroy chain of custody (which is the
term 
> we should be using

Good point.  The correct use of terminology,
particularly in an area as technical as this
discussion, is important.  When other, unusual terms
and phrases, w/o an explanation, begin to be used, the
discussion can quickly break down...there is no common
ground on which to converse at that point.  "Chain of
custody" means something specific when talking about
forensics..."chain of evidence" only has a specific
meaning to the person using that phrase.

> Key is proper FORENSIC PROCESSES are followed.  If
you 
> can document and you are not touching MODIFY or 
> CREATION dates then you are pretty much OK as long
as 
> you document properly.   

Agreed.  Even writing down the last access date in
your notebook, and then copying the file, would be an
appropriate process, under the right circumstances. 
I'd prefer to use a specific tool to extract those
values, rather than running three separate 'dir'
commands.





__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/