Home page logo
/

basics logo Security Basics mailing list archives

RE: First Investigation - Need advice
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Sun, 14 Mar 2004 11:51:00 +0530

I have been tasked with carrying out a search and seize with the 
aid of a court order.  I can't ask local law enforcement as it is 
a civil matter, but I need a little help and figured this should 
be a good place to find it.

security basics is not a good place for this / try the foriencs list they are very good at this  

I do have some knowledge and experience from when I was studying 
for the CISSP exam, I passed, but do not have any forensic 
hands-on experience.  


that would help you a lot in what you are doing 
 
What I am basically looking for is a list of tools that I can get 
my hands on quickly and cheaply, and if possible a checklist or 
methodology to work to.


ask on the foreincs list, 
the cheapest tools are ( i am understanding that you will be using ) linux because it is the most flexible system for 
these sorts of tasks


I know this should be left to the experts, but time constraints 
and budget mean this is not possible, besides how hard can it be.  <g>

it's not very hard if you know what you are doing, besides if your case is handled by a law enforcement official it 
will hold up in court as this is a lawsuit a small mistake can simply invalidate all your evidence .... please do call 
expert consultants if you want 



We have 2 locations to "raid" simultaneously, so I will be at one 
site, and a colleague at another.  



The plan thus far is....



Video record everything from entry to the building, to sealing a 
image of the machines in question into polythene type bags, and 
signing over the top of them.  Also, the investigation into the 
data will be recorded on video.



and keep one of the signed copy at some safebox which can be used for verifying the authicity of the proof that you 
have in your hand


Two images will be taken on site, one for sealing in the bag, 
another as the "working copy".  These will be MD5 checksummed, 
and the hash recorded on paper.  The sealed copy will go to a 
secure storage location for appearance in court, and the working 
copy used to gather evidence.  The original will be returned to its owner.


that is a good idea.....


Each and every step taken, will be recorded, and witnessed, and 
signed off by the person who takes the action, the person who 
witnesses, and the person who recorded the activity.  



have 2 witness for safty


All personnel involved will be available for court dates should 
it come to that.  But we strongly believe that the required 
information will be gained from one of the two locations, and 
that will be enough for the "plaintiff" to present to the 
"defendant" so that a settlement can be reached.


best of luck in your investigation


Have I missed anything fundamental?  Are there some other steps I 
should take?  What tools, methods should be used to gather the 
images and interrogate the images when gathered?


the tools used to analysed the images depends how big your images are,what are u are trying to look for: my personal 
preference is encase or on linux there is a tools called lazurus



Thanks in advance for the help.




hope that was helpful




-aditya



________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]