I have had a very similar case.
If your network is fast enough i would suggest you do a live image using psexec, dd, netcat, and md5sum.
Obtain a shell on her box using psexec (use a domain admin account), mount a remote samba share under the context of that user, and then dd the PhysicalDisk as normal to the remote share.
This way the user will never know that you were even on thier PC, and you dont need to take the laptop away. It is by far the cleanest and most stealthy approach.
On a gig network it is possible to image a 250gig laptop drive in about 6 hours.
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
If your network is fast enough i would suggest you do a live image using psexec, dd, netcat, and md5sum.
Obtain a shell on her box using psexec (use a domain admin account), mount a remote samba share under the context of that user, and then dd the PhysicalDisk as normal to the remote share.
This way the user will never know that you were even on thier PC, and you dont need to take the laptop away. It is by far the cleanest and most stealthy approach.
On a gig network it is possible to image a 250gig laptop drive in about 6 hours.
-----------------------------------------------------------------
Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.
http://www.dinclinx.com/Redirect.aspx?36;5000;25;1371;0;2;946;005be7f5c8
72ea1f
[ reply ]