On Sunday, October 19, 2003, at 10:08  PM, der.hans wrote:
> Ernie, www.Linux-Forensics.com, posted a query on how to view the data 
> on
> hard drives without changing anything because changing a single bit on 
> the
> hard drive will get it banned as evidence.
>
> What does the boot sector have to do with the email content saved to 
> the
> drive? The swap sector? That's like saying all the evidence in a house 
> is
> not admissable because someone opened the refrigerator door. There 
> might be
> cases where that's true, but it isn't the general case.

A large part of it is doubt.  If the investigator(s) don't maintain 
proper chain-of-custody of evidence, or don't keep the evidence 
pristine, or don't follow industry-standard computer forensic 
procedures, I can guarantee you 99.9% of the time the defense WILL get 
the evidence disallowed *or* they can put enough doubt into the judge 
and jury that they won't consider the evidence unreliable.

I've come into cases right behind corporate security teams that had no 
clue what they were doing. They tainted the evidence and it was thrown 
out of court with me trying to establish evidence elsewhere (server 
logs, network traffic logs, etc).

Want a great example?  I asked $clueless_security_guy at one company 
what procedure he followed to turn off $evidence_workstation.  You know 
what he did?  He clicked "shutdown" and let the machine complete a 
Windows shutdown, then turned the PC off.  GAH!!!!!!!!!!  Holy 
over-written evidence batman! Good-bye timestamps, swap space 
critters... etc.

When I told him he should have left the machine on and pulled the power 
plug out FROM THE BACK OF THE MACHINE he just looked at me like I was 
insane.

I had another case where the security guy's version of making a 
'bitstream backup copy' of the drive consisted of mounting the evidence 
drive (no write-blocker) on the secondary IDE channel of a drive and 
then doing a "XCOPY C:\*.* /s E:\".  No, I'm not kidding.

Security is a very frustrating field sometimes.  *SIGH*