Re: forensics tools - preserving data?

[GuidoZ <uberguidoz () gmail com>]

> Thanks for the shout-out!  ;-)

I call 'em like I see 'em. ;) The book was well written and made
sense. I've also seen other posts here by you and they were right on
target from what I coudl tell. So, you're more then welcome. Thanks
for coming when called. =D

> Re: "so I am able to present it"...a big issue involving forensics (and just about
> any other highly technical area) is that many practitioners somehow expect the
> layman to just "get it".  So presenting the data in a way that can be easily
> understood is an issue.

Bingo. I've hit this road block so many times it's just annoying now.
I've got a knack to explain the most complex things in a way that the
"average user" can understand. However, some things (and some people
for that matter) simply can't be beat.

> <soapbox ranting>

=) A very good, yet often overlooked, aspect. I've also run across a
similar situation where it wasn't possible to prove an employee was
wasting enough time to warrant the punishment (fired). It didn't
matter that I could show log files obtained from the firewall or
websites from the Temp Internet files. (I never showed up in court
about this - the company decided they didn't have enough technical
evidence to require an expert witness. They simply brought in a
report... so I don't know the specifics of what happened next.) In the
long run though, the employee sued and won. Go figure.

--
Peace. ~G


On 6 Oct 2004 18:13:47 -0000, H Carvey <keydet89 () yahoo com> wrote:
> In-Reply-To: <b7bc1b1f041005000317675d35 () mail gmail com>
>
> ~G,
>
> > Finally, hopefully Harlan Carvey will pipe up and share his expertise.
>
> > See http://www.windows-ir.com/ for more info.
>
> Thanks for the shout-out!  ;-)
>
> > > I can pull up the files, archive them and explain the information to them.  But how do I go about extracting the 
> > > information (i.e. The internet address of the many files that lie in the temp internet dir) so I am able to 
> > > present it in acceptable fashion that they might use it in a court of law as evidence should it come to that.
>
> > >
>
> A couple of things come to mind...
>
> Re: "use it in a court of law as evidence"...this will depend heavily on your country and jurisdiction, and accepted 
> forensic processes.  However, you're more than likely going to end up imaging the drive and using those processes to 
> perform your analysis.
>
> Re: "so I am able to present it"...a big issue involving forensics (and just about any other highly technical area) 
> is that many practitioners somehow expect the layman to just "get it".  So presenting the data in a way that can be 
> easily understood is an issue.
>
> Now, not to go too far off target, but...
>
> <soapbox>
>
> You said that this issue is one of an employee not completing tasks because they spent too much time surfing the web. 
>  The temp Internet files will tell you what pages were visited and the when, but are you hoping to show the amount of 
> time spent on each page?
>
> In a nutshell, in my experience, I really don't see this as a forensics issue...in fact, I believe that it's a waste 
> of time.  What *should* happen is that the manager should document the fact that the employee is not completing tasks 
> on time, and even go so far as to put the tasks and deadline in writing.
>
> </soapbox>
>
> ------------------------------------------
>
> Harlan Carvey, CISSP
>
> "Windows Forensics and Incident Recovery"
>
> http://www.windows-ir.com
>
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for
>
> you are crunchy, and good with ketchup."
>
> "The simplicity of this game amuses me.
>
> Bring me your finest meats and cheeses."
>
> ------------------------------------------