|
-
August 3rd, 2006, 09:38 AM
#15
Hmmmmm,
Time for a reality check?
1. This is a single stand alone PC?............. why on Earth would it have any network security software on it?
2. I have done a fair bit of support for Doctors, Dentists and Veterinaries in my time............ they know nothing about IT in general and security in particular, but I have yet to see a single system that was connected to the internet!............a LAN, yes, but NOT the internet.
3. The most common scenario is that they have a PIM (personal information manager) on the office machine and a copy on their laptop, which they synchronise from time to time.
4. From your forensics you should be aware that the first thing to do is to make a certified/authenticated/MD5 hashed copy of the suspect HDD. THIS MUST NOT MAKE ANY CHANGES TO THE ORIGINAL DRIVE ..............if it does, you have compromised your crime scene?
So, if you make a forensic evidence acceptable copy....................the activity will be untraceable.
5. Similarly, from data recovery exercises you know that you do not want to change anything on the HDD, as that could corrupt vital data?
If I took the drive and slaved it to a PC and ran a Linux recovery tool or something like roadkil's unstoppable copier you would not be able to trace the activity.
http://www.roadkil.net/unstopcp.html
6. SNORT?..................the only snorting I would associate with psychiatrists would *cough* involve a $100 bill *cough* 
7. As a rule, psychiatrists don't do housecalls? (except prisons and hospitals).
Perhaps you need to revisit the premise that this is a stand alone machine?
// off topic
LOL, that's the most creative euphemism I've read in a while.
Nah!............. the correct phrase is: "syphon the python", although "drain the dragon" and "strain the potatoes" can be substituted if required  //
EDIT: Possible solution? A lot of PCs have a BIOS feature that warns you if the case has been opened. This is in the BIOS, so does not impact on the HDD, and might reasonably be overlooked by a miscreant?
If the alarm has been triggered and there is no evidence of activity, I would suggest it prudent and assume that all data have been copied?
You normally only see the case opened warning on reboot.............
Obviously, I can get around that, but just how IT savvy are these vampires?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote