We have a new case were many many new PCs/laptops have allegedly been installed with unauthorised copies of Windows and Office. On this basis, the data we are looking to extract is very limited and targeted. However, conventional procedures would dictate a full forensic image (and second archive). From the clients perspective, this is expensive and cumbersome. And yet, I am always weary of "cutting corners" in order to keep costs down and the appliance of the ACPO principles does not depend on the amount of data you wish to examine, report and exhibit
Any thoughts?
Are all the computers on a domain? You could use one of the many readily available auditing suites.
Prime candidate for creating a tool that loads off a USB, grabs the serial number and sticks it in a text document on the USB.
As long as the program can be shown to be accurate (and you can provide source to prove this) there is no reason to perform a full image of each. It might of course be advisable to image a small sample first, just incase someone tries any funny stuff later on.
Of course when the scope of the job inevitably grows, you'll have to image everything anyhow.
Since the info you are looking for comes from the Registry (if I get it right) you coud backup just the Registries of the machines.
This could be done by booting from USB and copy the (offline) Registry, unless there are Crypted filesystems, the procedure can be done in a forensically sound manner, with no actual login to the installed OS (besides of course getting the disk out of the machine and get just the meaningful data through a write blocker).
Same goes for other meaningfuyl files, like the Setup log, etc.
jaclaz
We have a new case were many many new PCs/laptops have allegedly been installed with unauthorised copies of Windows and Office. On this basis, the data we are looking to extract is very limited and targeted. However, conventional procedures would dictate a full forensic image (and second archive). From the clients perspective, this is expensive and cumbersome. And yet, I am always weary of "cutting corners" in order to keep costs down and the appliance of the ACPO principles does not depend on the amount of data you wish to examine, report and exhibit
Any thoughts?
The ACPO guide is written primarily for LE. It's not interested with cost and inconvenience to the end client, whereas if you're running a business these are very important. The already mentioned network auditing would get you the same results in 30 minutes as would imaging all the PCs/laptops on the network. Whether the results are admissible as evidence in either case comes down to you! wink
Well if you are looking at more than registry you could try out Access Data Live Response & Ad Triage
The ACPO guidelines actually specifically mention a situation like this
In order to comply with the principles of computer-based electronic evidence, wherever practicable, an image should be made of the entire target device. Partial or selective file copying may be considered as an alternative in certain circumstances e.g. when the amount of data to be imaged makes this impracticable. However, investigators should be careful to ensure that all relevant evidence is captured
(highlighting of fragments done by me)
For some reason, this old 'take the full image' doctrine is still very prevalent (somehow nobody ever questions why the police does not take a whole building with them when they collect fingerprints and 'just' take photographs and imprints…) - while a more effective and practical approach is often desirable (and not just in commercial situations). As long as you can defend your choices and actions, even a single log file could in some cases be enough.
Yes, this whole concept of taking a complete image and interpreting the ACPO Guide is interesting. I was always taught that Principle 2 is there to cover technical circumstances where Principle 1 can't be applied. For example, not taking down a complete server/network.
Within my example, there is no technical reason whatsoever stopping us from imaging every drive. It is the financial implications that prevent us. In the world of the private sector, we can say Principle 2 applies when principle 1 is not financially viable. But this can be a dangerous road to go down as it is the client/market who has some input into what is financially viable and this may not be the best way to protect best practice and high standards.
All very interesting and thought provoking.
In my opinion, the principles say nothing about the amount or type of data. They only describe the ways in which it is gathered.
Principle 1
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
(highlighting again by me)
You can gather a subset of the full image through a write blocker and still comply with principle 1.
Principle 2 opens the door to situations where you want to gather live evidence such as volatile data.
But IMHO there is nothing there that describes partial or full imaging. And most importantly, all the principles emphasise that the decision lies with the person leading the investigation if you think that (for whatever reason) you have to do things a certain way (and financial motivation, business impact or speed of investigation can be perfectly valid reasons) and are happy to defend that decision then go for it. We shouldn't force ourselves to be less effective because of "ACPO-fundamentalists"…
Everybody accepts that you can't close the M25 for 3 weeks after a major accident and that you have to resort to photographs, statements and other interpretations for the final investigation - we shouldn't be afraid to draw similar analogies to our field.
Using an approach like 'jaclaz' describes is in my opinion perfectly valid and the way to go rather than a dangerous road - you adhere to the ACPO principles and you show you properly balanced all interests such as privacy invasion, money/time spent on the investigation and capturing of relevant evidence. This shows you actually think while doing your investigation rather than just running a 'button-clicking-forensic-factory' 😉
(and to be sure, you can always create full images of a small sample of the machines, should you need to do a more detailed analysis at a later stage)
The ACPO guide is written primarily for LE. It's not interested with cost and inconvenience to the end client, whereas if you're running a business these are very important.
In the current financial climate, they (cost / time etc) are also becoming increasingly important for LE too!!