Home page logo

basics logo Security Basics mailing list archives

First Investigation - Need advice
From: forensic Helpwanted <forensichelpwanted () fsmail net>
Date: Fri, 12 Mar 2004 08:29:58 +0100 (CET)


I have been tasked with carrying out a search and seize with the aid of a court order.  I can't ask local law 
enforcement as it is a civil matter, but I need a little help and figured this should be a good place to find it.

I do have some knowledge and experience from when I was studying for the CISSP exam, I passed, but do not have any 
forensic hands-on experience.  

What I am basically looking for is a list of tools that I can get my hands on quickly and cheaply, and if possible a 
checklist or methodology to work to.

I know this should be left to the experts, but time constraints and budget mean this is not possible, besides how hard 
can it be.  <g>

We have 2 locations to "raid" simultaneously, so I will be at one site, and a colleague at another.  

The plan thus far is....

Video record everything from entry to the building, to sealing a image of the machines in question into polythene type 
bags, and signing over the top of them.  Also, the investigation into the data will be recorded on video.

Two images will be taken on site, one for sealing in the bag, another as the "working copy".  These will be MD5 
checksummed, and the hash recorded on paper.  The sealed copy will go to a secure storage location for appearance in 
court, and the working copy used to gather evidence.  The original will be returned to its owner.

Each and every step taken, will be recorded, and witnessed, and signed off by the person who takes the action, the 
person who witnesses, and the person who recorded the activity.  

All personnel involved will be available for court dates should it come to that.  But we strongly believe that the 
required information will be gained from one of the two locations, and that will be enough for the "plaintiff" to 
present to the "defendant" so that a settlement can be reached.

Have I missed anything fundamental?  Are there some other steps I should take?  What tools, methods should be used to 
gather the images and interrogate the images when gathered?

Thanks in advance for the help.

Freeserve AnyTime - HALF PRICE for the first 3 months - Save £7.50 a month 

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]