It's been a while since forensics were my daily grind, but I have some thoughts...
Are you a member of the subject's organization? i.e. same company or agency?
If so, your best immediate approach may be going over the wire with AccessData Enterprise (ftk) or a similar tool.
* Cost justification: It's happened once, it'll happen again. Once the agent is installed, the subject is available 24x7.
* Court explanation: AccessData installs an agent that reads the drive. It is its sole function, and
cannot be used to move files onto the target.
* MD5 hash option: If it were me, I wouldn't use that as a foundation for testimony. In order to get
a file MD5, you have to touch it - right? That is harder to explain away than a
remote agent imaging the entire drive.
If you're not part of the subject's organization, or cannot influence purchase of a network tool, it will depend on expanding that time window. Fire drill? Trouble ticket? "Audit" all laptops in the dept in the Help Desk back room? Have the boss invite the whole gang to a long lunch?
Shannon
Disclaimer: The opinions and view expressed are solely those of the sender. The sender's organization makes no claim as to accuracy, efficacy or reliability.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of solefarmer (at) gmail (dot) com [email concealed]
Sent: Tuesday, February 15, 2011 9:14 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: P2V - Live Forensics
Ladies, Gentlemen, and otherwise:
I have a situation whereby I need to obtain an image of an individual's laptop suitable for potential prosecution in a US court; however, I only have a limited window in which to grab the image, and was looking for alternatives in order to not "spook" the poor guy or his co-workers who would no doubt tell him about me, as I go into his office and randomly image his drive!
I thought about using P2V (Physical to Virtual), but realize that such software does make some steps to alter the system and thus may have court challenges. Is there possibility such could be explained in court, or perhaps md5 hash of his files(not the disk image) taken while online and then compared to a virtual image of sorts.
Please advise, and I'm thinking of sending the winning submission a beer or two or some other minor token of appreciation.
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
It's been a while since forensics were my daily grind, but I have some thoughts...
Are you a member of the subject's organization? i.e. same company or agency?
If so, your best immediate approach may be going over the wire with AccessData Enterprise (ftk) or a similar tool.
* Cost justification: It's happened once, it'll happen again. Once the agent is installed, the subject is available 24x7.
* Court explanation: AccessData installs an agent that reads the drive. It is its sole function, and
cannot be used to move files onto the target.
* MD5 hash option: If it were me, I wouldn't use that as a foundation for testimony. In order to get
a file MD5, you have to touch it - right? That is harder to explain away than a
remote agent imaging the entire drive.
If you're not part of the subject's organization, or cannot influence purchase of a network tool, it will depend on expanding that time window. Fire drill? Trouble ticket? "Audit" all laptops in the dept in the Help Desk back room? Have the boss invite the whole gang to a long lunch?
Shannon
Disclaimer: The opinions and view expressed are solely those of the sender. The sender's organization makes no claim as to accuracy, efficacy or reliability.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of solefarmer (at) gmail (dot) com [email concealed]
Sent: Tuesday, February 15, 2011 9:14 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: P2V - Live Forensics
Ladies, Gentlemen, and otherwise:
I have a situation whereby I need to obtain an image of an individual's laptop suitable for potential prosecution in a US court; however, I only have a limited window in which to grab the image, and was looking for alternatives in order to not "spook" the poor guy or his co-workers who would no doubt tell him about me, as I go into his office and randomly image his drive!
I thought about using P2V (Physical to Virtual), but realize that such software does make some steps to alter the system and thus may have court challenges. Is there possibility such could be explained in court, or perhaps md5 hash of his files(not the disk image) taken while online and then compared to a virtual image of sorts.
Please advise, and I'm thinking of sending the winning submission a beer or two or some other minor token of appreciation.
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
[ reply ]