Security Basics mailing list archives
Re: forensics tools - preserving data?
From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 8 Oct 2004 01:48:13 -0500
Thanks for the shout-out! ;-)
I call 'em like I see 'em. ;) The book was well written and made sense. I've also seen other posts here by you and they were right on target from what I coudl tell. So, you're more then welcome. Thanks for coming when called. =D
Re: "so I am able to present it"...a big issue involving forensics (and just about any other highly technical area) is that many practitioners somehow expect the layman to just "get it". So presenting the data in a way that can be easily understood is an issue.
Bingo. I've hit this road block so many times it's just annoying now. I've got a knack to explain the most complex things in a way that the "average user" can understand. However, some things (and some people for that matter) simply can't be beat.
<soapbox ranting>
=) A very good, yet often overlooked, aspect. I've also run across a similar situation where it wasn't possible to prove an employee was wasting enough time to warrant the punishment (fired). It didn't matter that I could show log files obtained from the firewall or websites from the Temp Internet files. (I never showed up in court about this - the company decided they didn't have enough technical evidence to require an expert witness. They simply brought in a report... so I don't know the specifics of what happened next.) In the long run though, the employee sued and won. Go figure. -- Peace. ~G On 6 Oct 2004 18:13:47 -0000, H Carvey <keydet89 () yahoo com> wrote:
In-Reply-To: <b7bc1b1f041005000317675d35 () mail gmail com> ~G,Finally, hopefully Harlan Carvey will pipe up and share his expertise.See http://www.windows-ir.com/ for more info.Thanks for the shout-out! ;-)I can pull up the files, archive them and explain the information to them. But how do I go about extracting the information (i.e. The internet address of the many files that lie in the temp internet dir) so I am able to present it in acceptable fashion that they might use it in a court of law as evidence should it come to that.A couple of things come to mind... Re: "use it in a court of law as evidence"...this will depend heavily on your country and jurisdiction, and accepted forensic processes. However, you're more than likely going to end up imaging the drive and using those processes to perform your analysis. Re: "so I am able to present it"...a big issue involving forensics (and just about any other highly technical area) is that many practitioners somehow expect the layman to just "get it". So presenting the data in a way that can be easily understood is an issue. Now, not to go too far off target, but... <soapbox> You said that this issue is one of an employee not completing tasks because they spent too much time surfing the web. The temp Internet files will tell you what pages were visited and the when, but are you hoping to show the amount of time spent on each page? In a nutshell, in my experience, I really don't see this as a forensics issue...in fact, I believe that it's a waste of time. What *should* happen is that the manager should document the fact that the employee is not completing tasks on time, and even go so far as to put the tasks and deadline in writing. </soapbox> ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you are crunchy, and good with ketchup." "The simplicity of this game amuses me. Bring me your finest meats and cheeses." ------------------------------------------
Current thread:
- forensics tools - preserving data? Dana Rawson (Oct 04)
- Re: forensics tools - preserving data? GuidoZ (Oct 05)
- RE: forensics tools - preserving data? Oscar Kooijman (Oct 05)
- Re: forensics tools - preserving data? Barrie Dempster (Oct 06)
- <Possible follow-ups>
- RE: forensics tools - preserving data? Beauford, Jason (Oct 06)
- Re: forensics tools - preserving data? GuidoZ (Oct 06)
- RE: forensics tools - preserving data? Ghaith Nasrawi (Oct 06)
- Re: forensics tools - preserving data? H Carvey (Oct 07)
- Re: forensics tools - preserving data? GuidoZ (Oct 08)