Matt and Kelly,
I guess there is one point here that leads to
possible issues a cd to forensically collect
evidence for law enforcement would require that
you collect the data with a device that could
not write to the hard disk,
What if you could collect the data you needed, but know and be able to show
that the likelihood of you changing data is low to unlikely?
The issue with a disk that would collect
real-time as the OS was logged in with a
administrator would give you the ability to
change the data
It may give you the ability, but that doesn't mean that you're going to destroy
or create evidence. In the real world, LEOs have the ability all the time to
plant or modify evidence...but that doesn't mean that they do.
I could use PSexec or runas or something to log
in as administrator, but I have a concern that
this may alter important information on the
computer.
Of course it will...any time you interact with a live machine, you're going to
alter something. The question isn't one of altering data on the system, but
can you show that you understand that, and do you have documentation of your
actions?
LEOs interact with crime scenes and evidence all the time. However, they have
processes and documentation...why should the digital world be any different?
The question I have is, what is the best policy
when creating a forensic boot disk?
Okay, I'm confused...you started out asking about a "live data collection
forensic CD", and know int the same paragraph you're referring to a forensic
boot disk. You're aware, I'm sure, that a bootdisk obviates the need for a
"live data collection forensic CD".
Is it best to wait for the information or have
the CD log in as local administrator to collect
information in a timely fashion before shutting
down? I do have the local admin password so
that is not an issue. I am talking about
windows boxes.
I would think that it would be best to document what you do thoroughly. Do
some testing to show due diligence, and then document what you do.
Harlan
http://windowsir.blogspot.com
