I hope someone can help me with this inquiry.
I have recently been involved in the execution of an Anton Pillar Order (Civilian Search Warrant) where the court gave the plaintiffs access to the respondents servers, via a local office. Nothing was known about the network or the servers involved in the company, except to say that it was a nationwide company.
When the order was executed, it was found that the entire national network was via a Citrix Metaframe service. When the local machine was logged into, all local drives were shut out which meant we were only able to view or print information. This of course is one of the security measures that has been enabled from within the system for obvious reasons.
My question here, is there any documentation relating to this type of network that highlights the area's to look at, within the main server(s), for any information that would normally be found on the local machine, such as Link Files, Recycle Bin, Registry Files etc.
When the local machine, a Toshiba Laptop, logged into the network, a new desktop appeared and the user operated from that. When the local machine was examined, the only information that could be gleamed from it were the Internet Cache files that related to the logging in to the network. There are/were no temp files, the recycle bin is empty, no link files except for the ones for Internet Explorer, basically nothing that we would normally use if examining a stand alone machine or one connected to a normal network.
Can anyone point me in a direction that better explains this system and where I can possibly find a few white papers on this type of network and the secrets it might hold. I realise that the order should have been for the network servers, but this was not understood by the lawyers involved. The respondents have now challenged a second application for access to the servers.
Any help would be appreciated. 8)
Mike
You have a potentially very complex environment in front of you depending on the size of the server farm, the number of applications the user has access to, what type of network access they have access to, whether they have a preferred server or whether they can login to any of a group of servers.
You can go to citrix for whitepapers etc but I'd say you would be better getting access to the company's system architecture documents or else employing a citrix specialist to assist you in dictating the terms of the search warrant and to define collection points for you.
Hope this helps
Ian
Ian
Thanks for your help. I have tried getting the systems architecture documents, but because the authority doesn't mention them they won't supply them.
As it turns out, my clients have actually won the court battle without the information on the server as we were able to obtain relevant information from the computer from his previous employer.
I see this will become a problem in the future as these systems seem to be increasing in numbers in so many different configurations. I will go to Citrix and see if I can get a few white papers on the systems.
But once again, thank you for the input.