Security Basics mailing list archives
RE: tools used to examine a computer
From: H C <keydet89 () yahoo com>
Date: Thu, 20 Feb 2003 11:28:24 -0800 (PST)
...good points on processes, servies and the like.
You
want to document those before you take down a
machine
(workstation or server)anyway if you are able to.
Again, it's quite easy to document this sort of thing, was well as a wide range of other data...it all simply has to be part of the methodology. Other areas of interest may include command history, clipboard contents, drivers (and their state), etc. Other non-volatile items that you may want to document prior to shut down include Registry key values, Registry key LastWrite times, etc.
It does not destroy chain of custody (which is the
term
we should be using
Good point. The correct use of terminology, particularly in an area as technical as this discussion, is important. When other, unusual terms and phrases, w/o an explanation, begin to be used, the discussion can quickly break down...there is no common ground on which to converse at that point. "Chain of custody" means something specific when talking about forensics..."chain of evidence" only has a specific meaning to the person using that phrase.
Key is proper FORENSIC PROCESSES are followed. If
you
can document and you are not touching MODIFY or CREATION dates then you are pretty much OK as long
as
you document properly.
Agreed. Even writing down the last access date in your notebook, and then copying the file, would be an appropriate process, under the right circumstances. I'd prefer to use a specific tool to extract those values, rather than running three separate 'dir' commands. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Current thread:
- RE: tools used to examine a computer, (continued)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Robinson, Sonja (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 22)
- RE: tools used to examine a computer Robinson, Sonja (Feb 22)
- RE: tools used to examine a computer Trevor Cushen (Feb 24)
- RE: tools used to examine a computer H C (Feb 25)
- RE: tools used to examine a computer Tim V - DZ (Feb 25)
- RE: tools used to examine a computer Trevor Cushen (Feb 25)
- ntpasswd compatibility w/RAID systems David Moisan (Feb 26)
- RE: tools used to examine a computer Trevor Cushen (Feb 25)
- RE: tools used to examine a computer David Moisan (Feb 26)