View previous topic :: View next topic |
Author |
Message |
ursdestiny Just Arrived
Joined: 06 Jan 2005 Posts: 2 Location: Pakistan
|
Posted: Sat Nov 15, 2008 8:39 am Post subject: server investigation? |
|
|
Hello,
I have been investigating PC for the past 2 years and for the first time I have received a server. Basically it is a file with SCSI and RAID running. It was shutdown when the office was crackdown. I have no idea how to proceed. The server belongs to foreign exchange company accused of money laundering.
How can i image the scsi drive?
What is the best tool for finding Internet logs from the server.
Thanks
|
|
Back to top |
|
|
Fire Ant Trusted SF Member
Joined: 27 Jun 2008 Posts: 3 Location: London
|
Posted: Sat Nov 15, 2008 10:53 am Post subject: |
|
|
ursdestiny,
Quote: |
I have no idea how to proceed. The server belongs to foreign exchange company accused of money laundering. |
Don't touch it! You will more than likely compromise any investigation by:
1 - Breaking the chain of evidence
2 - Make a mistake where the defense can claim you tampered with the it
You sound ill prepared for someone who does investigations.
I suggest giving this to a qualified forensic company.
Matt_s
|
|
Back to top |
|
|
shednik Just Arrived
Joined: 15 Oct 2007 Posts: 0 Location: Pittsburgh, PA
|
Posted: Sat Nov 15, 2008 8:42 pm Post subject: |
|
|
I would definitely not touch the server until you are sure of the processes needed to investigate the server. If you don't you will chance ruining the admission of any possible evidence on the device
|
|
Back to top |
|
|
ursdestiny Just Arrived
Joined: 06 Jan 2005 Posts: 2 Location: Pakistan
|
Posted: Sat Nov 22, 2008 7:01 pm Post subject: |
|
|
Well got this process after a lot of research on the Internet.
Boot the server using encase Bootable CD.
Image it through Encase.
and as i was working on a exchange server got the DB file and it worked perfectly.
the hashes were the same after the investigation
I hope i got it right.
|
|
Back to top |
|
|
PhiBer SF Mod
Joined: 11 Mar 2003 Posts: 20 Location: Your MBR
|
Posted: Mon Nov 24, 2008 9:41 pm Post subject: |
|
|
You still do not have forensic credentials. As such, it still might be possible to discredit your research/steps taken to properly preserve evidence.
|
|
Back to top |
|
|
ursdestiny Just Arrived
Joined: 06 Jan 2005 Posts: 2 Location: Pakistan
|
Posted: Tue Nov 25, 2008 5:32 am Post subject: |
|
|
Yes you guys might be right about my forensic capability but to put a question on a forum itself explains that.
So hopefully someone can explain the process now or have i put a wrong question?
|
|
Back to top |
|
|
PhiBer SF Mod
Joined: 11 Mar 2003 Posts: 20 Location: Your MBR
|
Posted: Tue Nov 25, 2008 9:13 pm Post subject: |
|
|
I know this article does not apply to your country, but it has some great "how-to" information in regards to digital investigations.
You may wish to take a look at the analysis for the Jule Amero case as well for further information on incorrect imaging.
|
|
Back to top |
|
|
|