Forensics
P2V - Live Forensics Feb 15 2011 03:13PM
solefarmer gmail com (10 replies)
Re: P2V - Live Forensics Feb 22 2011 10:18AM
Dave Howe (DaveHowe pentest googlemail com) (1 replies)
Re: P2V - Live Forensics Feb 28 2011 04:59PM
Paul Schmehl (pschmehl_lists tx rr com) (1 replies)
RE: P2V - Live Forensics Mar 02 2011 09:36AM
David Howe (David Howe ansgroup co uk) (1 replies)
Re: P2V - Live Forensics Mar 03 2011 03:14AM
Chris Barber (cmbarber gmail com)
I am not an expert in this field by any means, and I have never been to
court over a forensics case, I primarily perform Personnel level work. I
have to agree with Paul on this one and that it could lead to issues in a
courtroom especially if the defense wants a copy of the image that you
used. It would be very possible that they would find out that the reason
the PC did not come back up was cause by you, as a means to frame
the user.

One ruse I use on occasion is to shutdown the network port the user is
attached to and the PC will not connect to the network. You get the same
call to the help desk, they tell the user to shut down the PC and a tech
will be there shortly to look at the issue. You make sure the PC is offline
then enable the port, show up with a second PC to let the user work with for
a day or so while you try to figure out why the original PC is not working.
Make the image and return the PC to the user the next day. I have no
chance of leaving any finger prints on the PC for anyone to find.

On Wed, Mar 2, 2011 at 2:36 AM, David Howe <David.Howe (at) ansgroup.co (dot) uk [email concealed]> wrote:
>
> Ah, but I didn't. That's the good bit - you alter the drive before the user ever brings it in, and the chain of evidence only needs to start once it is on your desk. You need never admit or even mention that you broke it in the first place. Your "investigation" starts when the user brings in a non-booting device, and whatever happened before that isn't your problem :)
>
> You only correct the copy to boot again, the original stays intact (and if you want one to play with, you make a second copy for that).
>
> -----Original Message-----
> From: Paul Schmehl [mailto:pschmehl_lists (at) tx.rr (dot) com [email concealed]]
> Sent: 28 February 2011 16:59
> To: Dave Howe; forensics (at) securityfocus (dot) com [email concealed]
> Subject: Re: P2V - Live Forensics
>
> --On February 22, 2011 10:18:52 AM +0000 Dave Howe
> <DaveHowe.pentest (at) googlemail (dot) com [email concealed]> wrote:
>
> > On 15/02/2011 15:13, solefarmer (at) gmail (dot) com [email concealed] wrote:
> >> Ladies, Gentlemen, and otherwise:
> >>
> >> I have a situation whereby I need to obtain an image of an individual's
> >> laptop suitable for potential prosecution in a US court; however, I only
> >> have a limited window in which to grab the image, and was looking for
> >> alternatives in order to not "spook" the poor guy or his co-workers who
> >> would no doubt tell him about me, as I go into his office and randomly
> >> image his drive!
> >
> > Here's one I have done in the past.
> > Use psexec, mapped drives, whatever to gain access to the machine while
> > running. rename ntldr to something else - next time the machine shuts
> > down, it won't come up again.
> >
> > User screams, brings in machine for maint
> >
>
> Very clever, but it will cause you problems in court.  You altered the
> drive before you removed it.  Can you prove you didn't alter anything else?
> If not, your image isn't forensically sound and won't hold up in court.
>
> To obtain a forensically sound image, you need to capture the drive, either
> physically or over the network, without making any changes to it.  You also
> need to be able to prove that the image is identical to the drive you
> captured, which means the md5 sum checks out and the image needs to be
> read-only
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
>
> David Howe Technical Analyst
>
> T:0161 227 1010 F:0161 227 1020  E: david.howe (at) ansgroup.co (dot) uk [email concealed]
>
> Disclaimer
> The information contained in this communication from david.howe (at) ansgroup.co (dot) uk [email concealed] sent at 2011-03-0209:36:33 is confidential and may be legally privileged. It is intended solely for use by forensics (at) securityfocus (dot) com [email concealed] and others authorised to receive it. If you are not forensics (at) securityfocus (dot) com [email concealed] you are hereby notified that any disclosure, copying,distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. ANS Group Plc Terms & Conditions apply, all prices are subject to VAT, expenses excluded,E&O,E.
>
> ANS Group Plc 2010, Registered Office is Synergy House, Manchester Science Park, Manchester, M15 6SY. Reg No. 3176761. (Registered in England & Wales)
>
>
> -----------------------------------------------------------------
> Certify Software Integrity - thawte Code Signing Certificates
> This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
> http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
>
>

--
Chris Barber
cmbarber (at) gmail (dot) com [email concealed]

Ë?É?ıÆ?ɐɯ ɯoɹÉ? ǝlqɐɥsınÆ?uıÊ?sıpuı sı Ê?Æ?olouÉ¥É?ǝÊ? pǝÉ?uɐÊ?pɐ Ê?lÊ?uǝıÉ?ıÉ?É?ns Ê?uɐ,
- Arthur C. Clarke

-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f

[ reply ]
Re: P2V - Live Forensics Feb 21 2011 09:21PM
Adam Pal (pal_adam gmx net)
RE: P2V - Live Forensics Feb 21 2011 09:21AM
Brian Hitchen esure com
Re: P2V - Live Forensics Feb 19 2011 10:46AM
quark quark (quark maillist gmail com) (1 replies)
Re: P2V - Live Forensics Feb 21 2011 03:40AM
tchmielarski gmail com (1 replies)
Re: P2V - Live Forensics Feb 26 2011 12:51AM
Valdis Kletnieks vt edu
Re: P2V - Live Forensics Feb 18 2011 04:55PM
Thomas Rozenbroek (trozenbr gmu edu)
RE: P2V - Live Forensics Feb 18 2011 01:36PM
Dan Gimenez (dan gimenez comcast net)
Re: P2V - Live Forensics Feb 18 2011 12:38AM
Erin Kenneally (erin elchemy org)
Re: P2V - Live Forensics Feb 17 2011 11:01PM
William Warren (hescominsoon emmanuelcomputerconsulting com)
Re: P2V - Live Forensics Feb 17 2011 10:54PM
w ahlstros (wahlstros gmail com)
RE: P2V - Live Forensics Feb 17 2011 10:52PM
Bahrs, Art (Arthur Bahrs providence org) (1 replies)
Re: P2V - Live Forensics Feb 21 2011 03:24AM
Paulo Cesar Breim (PCB) (paulo breim com br)


 

Privacy Statement
Copyright 2010, SecurityFocus