mailing list archives
Re: tools used to examine a computer
From: Chuck Swiger <cswiger () mac com>
Date: Fri, 14 Feb 2003 13:02:17 -0500
Hopkins, Joshua wrote:
[ ... ]
I found that a login script was placed into the admin account for
that machine and the script erased the evidence. I was able to copy
some files over the network before I took the computer into custody.
What tools are out there that can really be helpful in
Considering how cheap basic RAID-1 mirroring for IDE drives is, you
might think about setting up all of your machines with two disks in a
mirror. When you want to examine a machine without risking the problem
you encountered, break the RAID-1 mirror before starting up the OS.
If you're really worried, or if you'd really like to make sure evidence
stays intact, you can even take one disk out and add a write-protect
jumper before investigating the system.