Forensics
Re: Log in as administrator with live data collection CD? Nov 16 2007 12:33AM
keydet89 yahoo com
Matt and Kelly,

> I guess there is one point here that leads to

> possible issues a cd to forensically collect

> evidence for law enforcement would require that

> you collect the data with a device that could

> not write to the hard disk,

What if you could collect the data you needed, but know and be able to show that the likelihood of you changing data is low to unlikely?

> The issue with a disk that would collect

> real-time as the OS was logged in with a

> administrator would give you the ability to

> change the data

It may give you the ability, but that doesn't mean that you're going to destroy or create evidence. In the real world, LEOs have the ability all the time to plant or modify evidence...but that doesn't mean that they do.

>> I could use PSexec or runas or something to log

>> in as administrator, but I have a concern that

>> this may alter important information on the

>> computer.

Of course it will...any time you interact with a live machine, you're going to alter something. The question isn't one of altering data on the system, but can you show that you understand that, and do you have documentation of your actions?

LEOs interact with crime scenes and evidence all the time. However, they have processes and documentation...why should the digital world be any different?

>> The question I have is, what is the best policy

>> when creating a forensic boot disk?

Okay, I'm confused...you started out asking about a "live data collection forensic CD", and know int the same paragraph you're referring to a forensic boot disk. You're aware, I'm sure, that a bootdisk obviates the need for a "live data collection forensic CD".

>> Is it best to wait for the information or have

>> the CD log in as local administrator to collect

>> information in a timely fashion before shutting

>> down? I do have the local admin password so

>> that is not an issue. I am talking about

>> windows boxes.

I would think that it would be best to document what you do thoroughly. Do some testing to show due diligence, and then document what you do.

Harlan

http://windowsir.blogspot.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus