Computer Forensics (was: Peoria Schools can't afford to repl…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Gary Nichols
Date:  
Old-Topics: Peoria Schools can't afford to replace stolen computers
Subject: Computer Forensics (was: Peoria Schools can't afford to replace stolen computers)
On Sunday, October 19, 2003, at 10:08 PM, der.hans wrote:
> Ernie, www.Linux-Forensics.com, posted a query on how to view the data
> on
> hard drives without changing anything because changing a single bit on
> the
> hard drive will get it banned as evidence.
>
> What does the boot sector have to do with the email content saved to
> the
> drive? The swap sector? That's like saying all the evidence in a house
> is
> not admissable because someone opened the refrigerator door. There
> might be
> cases where that's true, but it isn't the general case.


A large part of it is doubt. If the investigator(s) don't maintain
proper chain-of-custody of evidence, or don't keep the evidence
pristine, or don't follow industry-standard computer forensic
procedures, I can guarantee you 99.9% of the time the defense WILL get
the evidence disallowed *or* they can put enough doubt into the judge
and jury that they won't consider the evidence unreliable.

I've come into cases right behind corporate security teams that had no
clue what they were doing. They tainted the evidence and it was thrown
out of court with me trying to establish evidence elsewhere (server
logs, network traffic logs, etc).

Want a great example? I asked $clueless_security_guy at one company
what procedure he followed to turn off $evidence_workstation. You know
what he did? He clicked "shutdown" and let the machine complete a
Windows shutdown, then turned the PC off. GAH!!!!!!!!!! Holy
over-written evidence batman! Good-bye timestamps, swap space
critters... etc.

When I told him he should have left the machine on and pulled the power
plug out FROM THE BACK OF THE MACHINE he just looked at me like I was
insane.

I had another case where the security guy's version of making a
'bitstream backup copy' of the drive consisted of mounting the evidence
drive (no write-blocker) on the secondary IDE channel of a drive and
then doing a "XCOPY C:\*.* /s E:\". No, I'm not kidding.

Security is a very frustrating field sometimes. *SIGH*