image of server

Backups of the database most likely won't be sufficient to investigate fraud; you can image systems live, if need be.

Greetings,

I think it is hard to determine if the backups will be sufficient for the investigation or not. For example, if the fraud extends back several years, the backup tapes could provide a very useful historical record.

If the evidence of the fraud is contained only in the database, or in the database plus server logs, I think a full backup of the system and database could yield most, if not all, of the information necessary.

A lot depends on the operating system, the database, how the system is designed, and how the fraud was committed.

-David

hai keydet89

what is the procedure to take live image, and the tools necessary/available, pl advice.

krishna

Hi Krishna,

I'd say Harlan will point you to f-response, a great tool that allows for live analysis. If you want to know more check out their website or check Harlans blog for some good info.

I would issue one word of caution. I don't know your skill set or background however some knowledge of the forensics principles would be assumed when using these tools, such as forensic best practices or at least an acknowledgement of the ACPO guidelines.

You would probably find it more beneficial to get a demo of the likes of f-response and your favourite forensic analysis tool and test it on a local server before going to a corporate office. Even better - get someone who is trained in the tools and is comfortable with using them and collecting evidence.

If you're happy to continue yourself are comfortable with the setup you can connect to the live network and identify what you would need to collect and then work from there. This may also mean talking to employees of the company to gather information that can help you target particular areas.

Ronan