|
|
Forensics
P2V - Live Forensics Feb 15 2011 03:13PM solefarmer gmail com (10 replies) Re: P2V - Live Forensics Feb 22 2011 10:18AM Dave Howe (DaveHowe pentest googlemail com) (1 replies) Re: P2V - Live Forensics Feb 28 2011 04:59PM Paul Schmehl (pschmehl_lists tx rr com) (1 replies) Re: P2V - Live Forensics Feb 19 2011 10:46AM quark quark (quark maillist gmail com) (1 replies) Re: P2V - Live Forensics Feb 17 2011 11:01PM William Warren (hescominsoon emmanuelcomputerconsulting com) |
|
Privacy Statement |
Any action which require you to boot the device yourself will commit
changes, therefore the best method would be to set the hard drive
"offline" and mount it read-only as mentioned on the list.
Check also tools like sleuthkit but for your task a simple dd with a hash value
should be fine to work on it.
There are also hardware devices which does not disturb the chain of
custody used by forensic specialists to copy media.
If you do that without the knowledge of the user you as not being a
member of the court or appointed by an attorney you will have to
prove that you have not introduced the evidence yourself.
Considering the "fruit of poisoned tree" your complete work wont be
considered in such case.
If you have an option to seize the computer you can prove the
"originality" of the data.
--
Best regards,
Adam Pal
Tuesday, February 15, 2011, 4:13:56 PM, you wrote:
<==============Original message text===============
sgc> Ladies, Gentlemen, and otherwise:
sgc> I have a situation whereby I need to obtain an image of an
sgc> individual's laptop suitable for potential prosecution in a US
sgc> court; however, I only have a limited window in which to grab the
sgc> image, and was looking for alternatives in order to not "spook"
sgc> the poor guy or his co-workers who would no doubt tell him about
sgc> me, as I go into his office and randomly image his drive!
sgc> I thought about using P2V (Physical to Virtual), but realize
sgc> that such software does make some steps to alter the system and
sgc> thus may have court challenges. Is there possibility such could
sgc> be explained in court, or perhaps md5 hash of his files(not the
sgc> disk image) taken while online and then compared to a virtual image of sorts.
sgc> Please advise, and I'm thinking of sending the winning
sgc> submission a beer or two or some other minor token of appreciation.
sgc> -----------------------------------------------------------------
sgc> Certify Software Integrity - thawte Code Signing Certificates
sgc> This guide will show you how Code Signing Certificates are used
sgc> to secure code that can be downloaded from the Internet. You will
sgc> also learn how these certificates operate with different software platforms.
sgc> http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
<===========End of original message text===========
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
[ reply ]