Security Basics mailing list archives
Re: forensics tools - preserving data?
From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 06 Oct 2004 11:43:11 +0100
Don't bother. If they want to use it in a court of law anything less than a recognisable expert in the field will be shot down by any half decent lawyer. There are many tools that would help you, but if you don't have any forensics training then you will only be weakening your employers case. The fact that you have poked around in there already is bad for your case, evidence can easily be planted in most computer systems, you've been in there touching files and running programs, probably even booting up the OS to do so. All of this is bad for forensic integrity and ammo for the ex-employees lawyer. I suggest asking for advice on the forensics list, or even for recommendations of reputable companies in your area to carry out the work. Lawyer's questions: "You are an employee of CompanyX, surely it's in your interest to see my clients case fail ?" "Which forensics school did you go to again ?" "Did you seriously base your companies case on a tool some guy recommended on the internet?" You don't want to be stuck trying to answer questions like these (which took me a few seconds to think up, a good lawyer would make you look like a complete ass, that's their job), advise your employer to get _independent_, verifiable, expert witnesses. On Mon, 2004-10-04 at 18:44, Dana Rawson wrote:
G'Day All, Before I begin, I wanted to thank everyone who had provided me with direction on my last post regarding pgp. Hopefully I have as simple a question as before. I have a client who recently had to terminate an employee and part of their decision was based on dereliction of duty. Basically too much time spent surfing the internet and not performing her expected duties. They have asked me to gather the internet history, temporary internet directory files, etc. I can pull up the files, archive them and explain the information to them. But how do I go about extracting the information (i.e. The internet address of the many files that lie in the temp internet dir) so I am able to present it in acceptable fashion that they might use it in a court of law as evidence should it come to that. I have been looking but can't seem to find what I think I need. I have located tools on http://www.networkintrusion.co.uk/fortools.htm and see that NetAnalysis might prove useful but appears to be overkill. Or is this exactly what I need? Thanks in advance, again.
-- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- forensics tools - preserving data? Dana Rawson (Oct 04)
- Re: forensics tools - preserving data? GuidoZ (Oct 05)
- RE: forensics tools - preserving data? Oscar Kooijman (Oct 05)
- Re: forensics tools - preserving data? Barrie Dempster (Oct 06)
- <Possible follow-ups>
- RE: forensics tools - preserving data? Beauford, Jason (Oct 06)
- Re: forensics tools - preserving data? GuidoZ (Oct 06)
- RE: forensics tools - preserving data? Ghaith Nasrawi (Oct 06)
- Re: forensics tools - preserving data? H Carvey (Oct 07)
- Re: forensics tools - preserving data? GuidoZ (Oct 08)