Security Basics mailing list archives

Re: forensics tools - preserving data?

From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 06 Oct 2004 11:43:11 +0100

Don't bother.

If they want to use it in a court of law anything less than a
recognisable expert in the field will be shot down by any half decent
lawyer. There are many tools that would help you, but if you don't have
any forensics training then you will only be weakening your employers
case. The fact that you have poked around in there already is bad for
your case, evidence can easily be planted in most computer systems,
you've been in there touching files and running programs, probably even
booting up the OS to do so. All of this is bad for forensic integrity
and ammo for the ex-employees lawyer.

I suggest asking for advice on the forensics list, or even for
recommendations of reputable companies in your area to carry out the
work.

Lawyer's questions:
"You are an employee of CompanyX, surely it's in your interest to see my
clients case fail ?"
"Which forensics school did you go to again ?"
"Did you seriously base your companies case on a tool some guy
recommended on the internet?"

You don't want to be stuck trying to answer questions like these (which
took me a few seconds to think up, a good lawyer would make you look
like a complete ass, that's their job), advise your employer to get
_independent_, verifiable, expert witnesses.

On Mon, 2004-10-04 at 18:44, Dana Rawson wrote:

G'Day All,

Before I begin, I wanted to thank everyone who had provided me with direction on my last post regarding pgp.

Hopefully I have as simple a question as before.

I have a client who recently had to terminate an employee and part of their decision was based on dereliction of 
duty.  Basically too much time spent surfing the internet and not performing her expected duties.

They have asked me to gather the internet history, temporary internet directory files, etc.

I can pull up the files, archive them and explain the information to them.  But how do I go about extracting the 
information (i.e. The internet address of the many files that lie in the temp internet dir) so I am able to present 
it in acceptable fashion that they might use it in a court of law as evidence should it come to that.

I have been looking but can't seem to find what I think I need.  I have located tools on 
http://www.networkintrusion.co.uk/fortools.htm
 and see that NetAnalysis might prove useful but appears to be overkill.  Or is this exactly what I need?

Thanks in advance, again.

-- 
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

forensics tools - preserving data? Dana Rawson (Oct 04)
- Re: forensics tools - preserving data? GuidoZ (Oct 05)
- RE: forensics tools - preserving data? Oscar Kooijman (Oct 05)
- Re: forensics tools - preserving data? Barrie Dempster (Oct 06)
- <Possible follow-ups>
- RE: forensics tools - preserving data? Beauford, Jason (Oct 06)
  - Re: forensics tools - preserving data? GuidoZ (Oct 06)
- RE: forensics tools - preserving data? Ghaith Nasrawi (Oct 06)
- Re: forensics tools - preserving data? H Carvey (Oct 07)
  - Re: forensics tools - preserving data? GuidoZ (Oct 08)