RE: First Investigation - Need advice

["Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>]

> I have been tasked with carrying out a search and seize with the 
> aid of a court order.  I can't ask local law enforcement as it is 
> a civil matter, but I need a little help and figured this should 
> be a good place to find it.

security basics is not a good place for this / try the foriencs list they are very good at this  

> I do have some knowledge and experience from when I was studying 
> for the CISSP exam, I passed, but do not have any forensic 
> hands-on experience.  

that would help you a lot in what you are doing 
 
> What I am basically looking for is a list of tools that I can get 
> my hands on quickly and cheaply, and if possible a checklist or 
> methodology to work to.

ask on the foreincs list, 
the cheapest tools are ( i am understanding that you will be using ) linux because it is the most flexible system for 
these sorts of tasks


> I know this should be left to the experts, but time constraints 
> and budget mean this is not possible, besides how hard can it be.  <g>

it's not very hard if you know what you are doing, besides if your case is handled by a law enforcement official it 
will hold up in court as this is a lawsuit a small mistake can simply invalidate all your evidence .... please do call 
expert consultants if you want 

> We have 2 locations to "raid" simultaneously, so I will be at one 
> site, and a colleague at another.  

> The plan thus far is....
>
>
>
> Video record everything from entry to the building, to sealing a 
> image of the machines in question into polythene type bags, and 
> signing over the top of them.  Also, the investigation into the 
> data will be recorded on video.

and keep one of the signed copy at some safebox which can be used for verifying the authicity of the proof that you 
have in your hand

> Two images will be taken on site, one for sealing in the bag, 
> another as the "working copy".  These will be MD5 checksummed, 
> and the hash recorded on paper.  The sealed copy will go to a 
> secure storage location for appearance in court, and the working 
> copy used to gather evidence.  The original will be returned to its owner.

that is a good idea.....

> Each and every step taken, will be recorded, and witnessed, and 
> signed off by the person who takes the action, the person who 
> witnesses, and the person who recorded the activity.  

have 2 witness for safty

> All personnel involved will be available for court dates should 
> it come to that.  But we strongly believe that the required 
> information will be gained from one of the two locations, and 
> that will be enough for the "plaintiff" to present to the 
> "defendant" so that a settlement can be reached.
best of luck in your investigation


> Have I missed anything fundamental?  Are there some other steps I 
> should take?  What tools, methods should be used to gather the 
> images and interrogate the images when gathered?

the tools used to analysed the images depends how big your images are,what are u are trying to look for: my personal 
preference is encase or on linux there is a tools called lazurus

> Thanks in advance for the help.

hope that was helpful




-aditya



________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------