February 3rd, 2003, 08:17 PM
Forensics on Windows
I found a good article on Security Focus going over procedures and legal implications involved with forensics. I have included an excerpt below.
You can find the full article here.
Forensic examination of computer systems is commonly carried out by trained investigators using specialist hardware and software. The popularity of the Windows operating systems on both desktops and servers has made it a common source of evidence for such investigators. As a result, the range of tools available that can be used to analyze the Windows platform continues to grow. However, true forensic examination of a computer (i.e. where there may be a requirement to produce evidence in a court of law) does not take place only within the confines of a high-tech laboratory but also within the framework of current, relevant legislation and sometimes under the watchful eye of the media.
The experienced investigator knows that the success of a computer forensics investigation depends not only on the ability to uncover evidence from a computer system but also on the ability to follow proper methodology during the process of evidence collection and handling so that the evidence itself can be used in court. Such considerations may be of little interest to those whose goal is purely data recovery or intelligence gathering, but to forensic investigators engaged in the detection of crime or misconduct they remain of vital importance.
The first stage of any investigation is preparation that may begin even before a crime has been committed or a security incident detected. Importantly, it is not only investigators who are responsible for this preparation: it can also be carried out by the administrators of the systems in question. This article, the first in a two-part series about forensics on the Windows platform, will examine the preparatory steps that can be taken by both investigators and system administrators alike. While this series is concerned with Windows-specific investigations, this article will examine some basic, non-technical concepts that are applicable to all forensic investigations. The second article in this series will be much more specific to Microsoft Windows platforms.
Opinions are like
holes - everybody\'s got\'em.
July 14th, 2003, 09:35 AM
The above article was extremely informative and very interesting.
I don't know if it was available when the first post was made, but Part Two is available and well worth the read.
Here's the intro for part two:
Thanks for bringing this up, t2k2. Muchly appreciated!
This is the second of a two-part series of articles discussing the use of computer forensics in the examination of Windows-based computers. In Part One we discussed the wider legal issues raised by computer forensics and the benefits of pre-investigation preparation. In this article we will concentrate on the areas of a Windows file system that are likely to be of most interest to forensic investigators and the software tools that can be used to carry out an investigation.
You can find Part Two in full here.
[gloworange]Athlon XP 2100+ 1.74GHz
512MB PC2100 DDR-SD RAM
RADEON 9600XT 256MB[/gloworange]