RE: Initial Machine login - Computer Forensics 101

["Murda Mcloud" <murdamcloud () bigpond com>]

Hi Michael, I won't repeat the great advice already provided on the subject
of whether this is illegal or not but from a practical standpoint, you would
normally want to image the machine before doing anything. 

If the machine is already on then you may want to capture any volatile data
before doing anything like booting it from a live distro. You never know
what 'evidence' might be lost in that reboot.

I was always taught that whilst you need to work hard not to disturb/change
any data sometimes this may not be possible(time and technical constraints,
perhaps) so make sure you document everything and show that if data was
changed, how and why it was changed. Ie show which tracks are yours and
which are not.

OK, I lied. I will repeat what others have said, that the whole situation
seems like you are asking for a lot of trouble if you just go ahead and
start investigating without proper authorisation. I have had to do
investigations at work which have resulted in sackings and even though they
involved company machines used by employees who had been warned implicitly
through the contracts they signed of the company monitoring policy, I always
made sure legal would sign off on what I was doing. In writing. Step
carefully here. 
Good luck.
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Michael Condon
Sent: Sunday, February 03, 2008 2:15 PM
To: security-basics () securityfocus com
Subject: Initial Machine login - Computer Forensics 101

Here is a Computer Forensics 101 question.
Suppose a distraught woman comes to me with her husband's laptop and wants 
me to
search it for information about a suspected marital indescretion.
1. Assuming it is an XP/Vista machine, how can I log in as administrator?
2. Is the second approach to make a bistream copy of the hard drive using an

external USB har drive enclosure and proceed that way?