-
February 23rd, 2006, 07:30 PM
#11
Greeting's
i've never tried any of the following so I cannot recommend them but you can have a look :
1.FCCU GNU/Linux boot CD 10.0 from the Belgian "Federal Computer Crime Unit"
http://www.lnx4n6.be/index.php?sec=D...ds&page=bootcd
2. Fire from SourceForge
http://fire.dmzs.com/
3.fork from vital data
http://www.vitaldata.com.au/modules/...index.php?id=9
4. http://www.x-ways.net/davory/index-m.html
5. http://www.sleuthkit.org/autopsy/
A GOOD LIST OF TOOLS CAN BE FOUND HERE :
http://www.forensics.nl/toolkits
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
February 23rd, 2006, 07:40 PM
#12
Man ...good links ... especially the belgian crime unit thing one
I'll check them all out ... thanks,
.C.
Back when I was a boy, we carved our own IC's out of wood.
-
February 23rd, 2006, 10:23 PM
#13
I was in a similar situation, where I had to produce evidence re: "child porn". Before I even touched the drive, I called my local law enforcement and consulted with a couple of lawyers. I was informed if I wanted to build a case, and make it stick, the courts would likely only consider it if I used a product called ENCASE . As these types on investigations are few and far between for me I couldn't justify the cost. So I contracted a company that used the product for forensics and went that route. If you feel this issue may end up in front of the courts, you may want to consider this option.
good luck....
Cheers:
-
February 23rd, 2006, 10:28 PM
#14
DJM is absolutely right....
Even if this is an "internal" investigation if it ends up in any form of disciplinary action then the "offender" might take your company to court... At which point your "internal" investigation is elevated to the level of a full blown forensic investigation... Which neither you or I want to be in the witness chair for...
You need to consult with your administration and determine the best course of action... But be up front with them about _your_ limitations... They need that information because they are going to pay the bill if it ends up in court.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 23rd, 2006, 10:55 PM
#15
Tiger~ is right................trade unions, industrial tribunals..............whatever............it is a bloody minefield.
You need legal advice, and from a proper lawyer, not some jerk of a manager who knows nothing of the potential complexities.
The first thing is the AUP...............if that doesn't hold water they are stuffed. You did imply that there were few "formal" policies?
If what has been done is in any way construable as illegal in your part of the world, DO NOT GO NEAR IT unless the competent authorities have been involved, and then you work on THEIR instructions, not those of your managers. It is your career on the line my friend
-
February 24th, 2006, 07:31 AM
#16
Thanks for all the support ...
The legal matter has been covered since yesterday evening ...I have a relative that is a lawyer... He went out of his way to see what my rights and duties were... So I have that covered now ...
Probably I'll just take the image and have the guy sign me a paper that waves all rights of having me held responsible for any damages, negligence or any other form of wrongdoing or involvement ...the lawyer will draw me up a paper...Then I'll have a look at the image/copy or whatever under the same conditions ...that this is all just non-binding and non-accountable and will not hold up in court if it ever would come to that ...and so on ...
According to my lawyer relative I'm going to be in the clear whatever happens
If all else fails ..It will just be a consultant job ..meaning ...I'll tell him what he could do and where to go, to get what he wants/needs.
Time will tell ...
Thanks all,
.C.
Back when I was a boy, we carved our own IC's out of wood.
-
April 17th, 2006, 03:49 PM
#17
Junior Member
Acquiring evidence files using disk cloning techniqiues
HI
i was reading your post on disk cloning... I would just like to point a few things out as this is what i have to do day in day out..
1 where possible removed the suspect disk and use such a device as a write blocker (fastbloc, or tableau device) this blocks the writes to the hard disk when it is fired up.. then use some software such as encase of FTK to create image files this will allow you to demonstrate that you have indeed maintained data continuity . when these image files are created they create and md5 hash which can be used to verify that the data has not been altered.
-
April 17th, 2006, 03:59 PM
#18
hi 8lgm,
Welcome to AO!
Even though you have something relevant to bring to the thread it is still almost 2 months old...maybe you could write a tutorial if that's something you know a lot about?
Eg
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|