Security Basics mailing list archives
RE: tools used to examine a computer
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Fri, 21 Feb 2003 09:42:39 -0000
I was letting this discussion pass but a glaring error needs to be corrected. "Good point. The correct use of terminology, particularly in an area as technical as this discussion, is important. When other, unusual terms and phrases, w/o an explanation, begin to be used, the discussion can quickly break down...there is no common ground on which to converse at that point. "Chain of custody" means something specific when talking about forensics..."chain of evidence" only has a specific meaning to the person using that phrase." Chain of custody certainly does mean something specific in the area of Forensics but more importantly in the area of law enforcement. Unfortunately what the discussions have been about have been the chain of evidence and the chain of custody has not been discussed at all here. Summary Chain of Evidence: The steps and actions taken to acquire the evidence (disk cloning, labeling etc per the discussion at hand) Chain of Custody: The list of people or persons who have held the evidence or handled the evidence (sign in/sign out procedures etc) Read some more just to prove it is not 'only specific to the person using the phrase' Chain of Evidence: http://www.dis.unimelb.edu.au/staff/atif/AhmadPACIS.pdf Chain of Custody: http://www.isaforensics.com/ISA_COC_Form.pdf More links for your perusal which you certainly should be reading http://web.mit.edu/net-security/Camp/2000/FORENSICS_MIT/FORENSICS_MIT.pp t http://www.lambsauto.com/insflyer.htm In the last part of this last link you will see the point repeated that I made earlier. Make sure your Chain of Evidence is not broken. Doing an inhouse forensics examination is fine if you have decided up front that the matter will not be going any further. If there is any possibility that the incident may lead to legal proceeding then make sure you are qualified to carry out an examination otherwise all evidence you touch is inadmissable. Once you alter the machine state in any way you have tampered. Computer Evidence is still largely considered hearsay in a court of law and can quickly be ruled out if your Chain of Evidence or Chain of Custody is in doubt. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: 20 February 2003 19:28 To: security-basics () securityfocus com Subject: RE: tools used to examine a computer
...good points on processes, servies and the like.
You
want to document those before you take down a
machine
(workstation or server)anyway if you are able to.
Again, it's quite easy to document this sort of thing, was well as a wide range of other data...it all simply has to be part of the methodology. Other areas of interest may include command history, clipboard contents, drivers (and their state), etc. Other non-volatile items that you may want to document prior to shut down include Registry key values, Registry key LastWrite times, etc.
It does not destroy chain of custody (which is the
term
we should be using
Good point. The correct use of terminology, particularly in an area as technical as this discussion, is important. When other, unusual terms and phrases, w/o an explanation, begin to be used, the discussion can quickly break down...there is no common ground on which to converse at that point. "Chain of custody" means something specific when talking about forensics..."chain of evidence" only has a specific meaning to the person using that phrase.
Key is proper FORENSIC PROCESSES are followed. If
you
can document and you are not touching MODIFY or CREATION dates then you are pretty much OK as long
as
you document properly.
Agreed. Even writing down the last access date in your notebook, and then copying the file, would be an appropriate process, under the right circumstances. I'd prefer to use a specific tool to extract those values, rather than running three separate 'dir' commands. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie **************************************************************************************
Current thread:
- Checkpoint NG - SMTP Guard Features, (continued)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Robinson, Sonja (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 22)
- RE: tools used to examine a computer Robinson, Sonja (Feb 22)
- RE: tools used to examine a computer Trevor Cushen (Feb 24)
- RE: tools used to examine a computer H C (Feb 25)
- RE: tools used to examine a computer Tim V - DZ (Feb 25)
- RE: tools used to examine a computer Trevor Cushen (Feb 25)
- ntpasswd compatibility w/RAID systems David Moisan (Feb 26)
- RE: tools used to examine a computer Trevor Cushen (Feb 25)
- RE: tools used to examine a computer David Moisan (Feb 26)