From: Max Ashton (maxashton@eml.cc)
Date: Mon Jul 17 2006 - 06:23:11 EDT
On Monday 17 July 2006 00:13, kruptos wrote:
> Hello All,
>
> I have been tasked with recovering the recent history of an individual
> laptop. It is suspected that the individual may have gone to a "escort"
> site and attempted to make a purchase via company credit card.
First rule of forensics is not to compromise your 'scene.
Take an image of the hard disk. I reccomend using DD or simmilar to take an
image of your suspect's hard disk (at the most basic level " dd if=/dev/hda
of /home/you/noobhdd.img" .. bear in mind using dd you will need as much free
space as the original hd contains). Other tools are fine, but bear in mind
it needs to be a known documented tool. And take an MD5 hash of the image
while you're at it.
Only then do any analysis of the hard disk. Most of the forensics livecd's
contain tools for examining IE's index.dat... backtrack has one, helix has
one...
But whatever you do, don't ever examine a live environment. A halfway
competent defence lawyer would just say you put the evidence there yourself.
At the very best, they'd throw the evidence out and your suspect would claim
no knowledge of the CC's use, at worst, you could be up for fraud or who
knows what.
IANAL, check your local laws regarding computer forensics.
-- Max Ashton ---------- No ammount of network security is as good as a wood chipper. 0x7951CF83 http://www.maxashton.com/pgpkeys/maxashton.asc ----------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:18 EDT