Security Basics mailing list archives
Re: forensics procedure for PC analysis
From: Richard Thomas <austindad () gmail com>
Date: Fri, 1 May 2009 10:50:26 -0500
John, Now that would be a long email. I have done exactly what you are looking to do. The success in forensic analysis is all about your process, documentation, and experience. dd will work as long as you use the proper options to ensure a bit-level copy of the data. Never perform your analysis on the suspect drive, only on the bit-level copy. If you suspect a computer of containing evidence, no graceful shutdowns, no looking around, just pull the plug and acquire your copy. Document all steps and results as if the information will be used in a court case. Consult an attorney regarding specifics. Here is an interesting writeup on the process with some good references at the end. Good luck. http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf Richard Thomas On Mon, Apr 27, 2009 at 5:31 AM, John O Laoi <brianolaoi () gmail com> wrote:
Hello, Does anyone have pointers to a full recommended procedure on preserving PC data for forensic analysis? I'm thinking about things like getting a full backup (using dd), preserving the disks, graceful shutdown or not, etc. My employer has asked me to look into drafting a policy to address this, in situations where say illicit material has been lodged to disk. John ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- forensics procedure for PC analysis John O Laoi (May 01)
- Re: forensics procedure for PC analysis Richard Thomas (May 01)
- Re: forensics procedure for PC analysis max (May 01)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Dave Kleiman (May 06)
- Re: forensics procedure for PC analysis Johnny Ramone (May 04)
- RE: forensics procedure for PC analysis Simon Thornton (May 04)