RE: Initial Machine login - Computer Forensics 101

["David Gillett" <gillettdavid () fhda edu>]

  Making the copy is the FIRST approach.  In fact, make TWO copies --
one to save, and one to analyze.  Hubby may want his laptop back, and
it doesn't sound like you have any legal basis to hold onto it.

  There are tools that will let you set the Administrator password and 
log in.  But that immediately opens the question of what things on 
the drive are the result of hubby's actions, and which of YOURS.  If
there's any chance of someone wanting your findings to be given as 
courtroom evidence, you don't want that to be in question.
  Ideally, you want to be able to give the opposing legal team their
own copy of the drive image as you received it, so they can have their
own analysis done.  (Hopefully, they'll come up with near enough the
same results you did that the matter won't have to go to trial.)

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon
> Sent: Saturday, February 02, 2008 8:15 PM
> To: security-basics () securityfocus com
> Subject: Initial Machine login - Computer Forensics 101
>
> Here is a Computer Forensics 101 question.
> Suppose a distraught woman comes to me with her husband's 
> laptop and wants me to search it for information about a 
> suspected marital indescretion.
> 1. Assuming it is an XP/Vista machine, how can I log in as 
> administrator?
> 2. Is the second approach to make a bistream copy of the hard 
> drive using an external USB har drive enclosure and proceed that way?