I have to do a late night collection on a machine. I have to restart the machine to do the image. I know there are tools for live acquisitions, but we do not want to take that route in this case. A system restart is not detrimental to this particular case.
Are there any tools that will prevent system logging, and that will allow me to bring up everything on the screen the same way it was when the custodian left it (open applications, documents)?
I was wondering if there was anything like that. If not, no biggie for this case. Just want to know if anything is out there like that.
Thanks
I guess I have to wonder why the mandatory restart? There are tools available that would allow you to image the machine with at most a few Registry entry that the average user would never notice.
I guess I have to wonder why the mandatory restart? There are tools available that would allow you to image the machine with at most a few Registry entry that the average user would never notice.
Its not mandatory. We could always use a live acquisition tool. I do this on the corporate side, our imaging policy says that have to use DCFLDD. I'd have to get all these different approvals for a different imaging utility, which if the case REQUIRED it, we would definitely do. This case really doesn't require it, but I wanted to know, in the event another case came along and it did require us to leave any open application/docs, are there any options available for a DCFLDD team other than using a live acquisition tool. I'm assuming no. It was probably a dumb question to ask.
The only dumb question is the one that goes unasked.
You do present an interesting quandary. There are ways to DD remotely but they would require tools in addition to DCFLDD. Any software that you would use to snapshot the system and restore it would certainly create more impact on the system than live forensics. Perhaps the prudent step at this juncture would be to get some other methods pre-authorized in the event the case required it so there is no last minute scrambling.
Have you considered VOOM's Shadow 2 unit?
enables an investigator to boot and view a suspect's system on site, without threat of altering the evidence on the boot drive. You have the ability to install investigative tools to examine the suspect drive without ever changing the original. Boot and view the suspect system just as the suspect sees it.
http//
I do not believe collecting is a problem. The problem comes when you try to return the system to the state it was in before the capture so as not to alert the suspect to the capture process.
Collect, reboot and blue-screen the machine.
Collect just before Patch Tuesday and let Microsoft reboot the system for you that night.
Arrange a power failure. "Breaker tripped, sorry."
-David
Collect, reboot and blue-screen the machine.
I like your idea. I have already done this collection. But we actually just cut the power to the small section of cubicles to stage a power failure. But I was actually thinking about the Blue Screen or error screen. Any suggestions on creating this scenario? God knows you can get the blue screen when you don't want it, now a question that has probably never been asked, "How do I make a blue screen on purpose?" hahah
I found this http//
but it involves changing registry items and I do not want to make changes.
Possible Solution
A boot disk that allows us to stage different error screens for different OSs.
Just a thought. What about booting up using Kubuntu from CD (assuming the system has a CD and reads from CD on power on)?