Security Basics mailing list archives
RE: Initial Machine login - Computer Forensics 101
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Tue, 5 Feb 2008 14:03:48 +1000
Hi Michael, I won't repeat the great advice already provided on the subject of whether this is illegal or not but from a practical standpoint, you would normally want to image the machine before doing anything. If the machine is already on then you may want to capture any volatile data before doing anything like booting it from a live distro. You never know what 'evidence' might be lost in that reboot. I was always taught that whilst you need to work hard not to disturb/change any data sometimes this may not be possible(time and technical constraints, perhaps) so make sure you document everything and show that if data was changed, how and why it was changed. Ie show which tracks are yours and which are not. OK, I lied. I will repeat what others have said, that the whole situation seems like you are asking for a lot of trouble if you just go ahead and start investigating without proper authorisation. I have had to do investigations at work which have resulted in sackings and even though they involved company machines used by employees who had been warned implicitly through the contracts they signed of the company monitoring policy, I always made sure legal would sign off on what I was doing. In writing. Step carefully here. Good luck. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: Sunday, February 03, 2008 2:15 PM To: security-basics () securityfocus com Subject: Initial Machine login - Computer Forensics 101 Here is a Computer Forensics 101 question. Suppose a distraught woman comes to me with her husband's laptop and wants me to search it for information about a suspected marital indescretion. 1. Assuming it is an XP/Vista machine, how can I log in as administrator? 2. Is the second approach to make a bistream copy of the hard drive using an external USB har drive enclosure and proceed that way?
Current thread:
- Initial Machine login - Computer Forensics 101 Michael Condon (Feb 04)
- Re: Initial Machine login - Computer Forensics 101 Danyelle Gragsone (Feb 04)
- Re: Initial Machine login - Computer Forensics 101 Ansgar -59cobalt- Wiechers (Feb 04)
- RE: Initial Machine login - Computer Forensics 101 Worrell, Brian (Feb 04)
- Re: Initial Machine login - Computer Forensics 101 Michael Condon (Feb 04)
- RE: Initial Machine login - Computer Forensics 101 Worrell, Brian (Feb 05)
- RE: Initial Machine login - Computer Forensics 101 Murda Mcloud (Feb 05)
- RE: Initial Machine login - Computer Forensics 101 Steven Bonici (Feb 06)
- RE: Initial Machine login - Computer Forensics 101 Craig Wright (Feb 08)
- Re: Initial Machine login - Computer Forensics 101 Michael Condon (Feb 04)