Forensics
Re: P2V - Live Forensics Feb 17 2011 10:55PM
synja synfulvisions com
I have had to do this in the past.

I simply added a firewall rule that dropped her traffic, and brought the laptop back to my office for "service." Once the drive was imaged, I erased the rule and made up a story about a network driver update for her model causing the problem.

This is of course a matter of how competent the user is.

Rob

------Original Message------

From: solefarmer (at) gmail (dot) com [email concealed]

Sender: listbounce (at) securityfocus (dot) com [email concealed]

To: forensics (at) securityfocus (dot) com [email concealed]

Subject: P2V - Live Forensics

Sent: Feb 15, 2011 10:13 AM

Ladies, Gentlemen, and otherwise:

I have a situation whereby I need to obtain an image of an individual's laptop suitable for potential prosecution in a US court; however, I only have a limited window in which to grab the image, and was looking for alternatives in order to not "spook" the poor guy or his co-workers who would no doubt tell him about me, as I go into his office and randomly image his drive!

I thought about using P2V (Physical to Virtual), but realize that such software does make some steps to alter the system and thus may have court challenges. Is there possibility such could be explained in court, or perhaps md5 hash of his files(not the disk image) taken while online and then compared to a virtual image of sorts.

Please advise, and I'm thinking of sending the winning submission a beer or two or some other minor token of appreciation.

-----------------------------------------------------------------

Certify Software Integrity - thawte Code Signing Certificates

This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.

http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f

Sent via BlackBerry by AT&T

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus