Security Basics mailing list archives

Re: forensics tools - preserving data?

From: H Carvey <keydet89 () yahoo com>
Date: 6 Oct 2004 18:13:47 -0000

In-Reply-To: <b7bc1b1f041005000317675d35 () mail gmail com>

~G,

Finally, hopefully Harlan Carvey will pipe up and share his expertise.
See http://www.windows-ir.com/ for more info.


Thanks for the shout-out!  ;-)

I can pull up the files, archive them and explain the information to them.  But how do I go about extracting the 
information (i.e. The internet address of the many files that lie in the temp internet dir) so I am able to present 
it in acceptable fashion that they might use it in a court of law as evidence should it come to that.

A couple of things come to mind...

Re: "use it in a court of law as evidence"...this will depend heavily on your country and jurisdiction, and accepted
forensic processes. However, you're more than likely going to end up imaging the drive and using those processes to
perform your analysis.

Re: "so I am able to present it"...a big issue involving forensics (and just about any other highly technical area) is
that many practitioners somehow expect the layman to just "get it". So presenting the data in a way that can be easily
understood is an issue.

Now, not to go too far off target, but...
<soapbox>
You said that this issue is one of an employee not completing tasks because they spent too much time surfing the web.
The temp Internet files will tell you what pages were visited and the when, but are you hoping to show the amount of
time spent on each page?

In a nutshell, in my experience, I really don't see this as a forensics issue...in fact, I believe that it's a waste of
time. What *should* happen is that the manager should document the fact that the employee is not completing tasks on
time, and even go so far as to put the tasks and deadline in writing.
</soapbox>

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/

"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."

"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------

Current thread:

forensics tools - preserving data? Dana Rawson (Oct 04)
- Re: forensics tools - preserving data? GuidoZ (Oct 05)
- RE: forensics tools - preserving data? Oscar Kooijman (Oct 05)
- Re: forensics tools - preserving data? Barrie Dempster (Oct 06)
- <Possible follow-ups>
- RE: forensics tools - preserving data? Beauford, Jason (Oct 06)
  - Re: forensics tools - preserving data? GuidoZ (Oct 06)
- RE: forensics tools - preserving data? Ghaith Nasrawi (Oct 06)
- Re: forensics tools - preserving data? H Carvey (Oct 07)
  - Re: forensics tools - preserving data? GuidoZ (Oct 08)