• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

server investigation?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
ursdestiny
Just Arrived
Just Arrived


Joined: 06 Jan 2005
Posts: 2
Location: Pakistan

Offline

PostPosted: Sat Nov 15, 2008 8:39 am    Post subject: server investigation? Reply with quote

Hello,
I have been investigating PC for the past 2 years and for the first time I have received a server. Basically it is a file with SCSI and RAID running. It was shutdown when the office was crackdown. I have no idea how to proceed. The server belongs to foreign exchange company accused of money laundering.

How can i image the scsi drive?
What is the best tool for finding Internet logs from the server.

Thanks
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Sat Nov 15, 2008 10:53 am    Post subject: Reply with quote

ursdestiny,

Quote:
I have no idea how to proceed. The server belongs to foreign exchange company accused of money laundering.


Don't touch it! You will more than likely compromise any investigation by:

1 - Breaking the chain of evidence
2 - Make a mistake where the defense can claim you tampered with the it

You sound ill prepared for someone who does investigations.

I suggest giving this to a qualified forensic company.

Matt_s
Back to top
View user's profile Send private message
shednik
Just Arrived
Just Arrived


Joined: 15 Oct 2007
Posts: 0
Location: Pittsburgh, PA

Offline

PostPosted: Sat Nov 15, 2008 8:42 pm    Post subject: Reply with quote

I would definitely not touch the server until you are sure of the processes needed to investigate the server. If you don't you will chance ruining the admission of any possible evidence on the device
Back to top
View user's profile Send private message
ursdestiny
Just Arrived
Just Arrived


Joined: 06 Jan 2005
Posts: 2
Location: Pakistan

Offline

PostPosted: Sat Nov 22, 2008 7:01 pm    Post subject: Reply with quote

Well got this process after a lot of research on the Internet.

Boot the server using encase Bootable CD.

Image it through Encase.

and as i was working on a exchange server got the DB file and it worked perfectly.

the hashes were the same after the investigation Smile

I hope i got it right.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Mon Nov 24, 2008 9:41 pm    Post subject: Reply with quote

You still do not have forensic credentials. As such, it still might be possible to discredit your research/steps taken to properly preserve evidence.
Back to top
View user's profile Send private message
ursdestiny
Just Arrived
Just Arrived


Joined: 06 Jan 2005
Posts: 2
Location: Pakistan

Offline

PostPosted: Tue Nov 25, 2008 5:32 am    Post subject: Reply with quote

Yes you guys might be right about my forensic capability but to put a question on a forum itself explains that.

So hopefully someone can explain the process now or have i put a wrong question?
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Tue Nov 25, 2008 9:13 pm    Post subject: Reply with quote

I know this article does not apply to your country, but it has some great "how-to" information in regards to digital investigations.

You may wish to take a look at the analysis for the Jule Amero case as well for further information on incorrect imaging.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register