server investigation?

Networking/Security Forums -> Computer Forensics and Incident Response

Author: ursdestinyLocation: Pakistan PostPosted: Sat Nov 15, 2008 8:39 am    Post subject: server investigation?
    ----
Hello,
I have been investigating PC for the past 2 years and for the first time I have received a server. Basically it is a file with SCSI and RAID running. It was shutdown when the office was crackdown. I have no idea how to proceed. The server belongs to foreign exchange company accused of money laundering.

How can i image the scsi drive?
What is the best tool for finding Internet logs from the server.

Thanks

Author: Fire AntLocation: London PostPosted: Sat Nov 15, 2008 10:53 am    Post subject:
    ----
ursdestiny,

Quote:
I have no idea how to proceed. The server belongs to foreign exchange company accused of money laundering.


Don't touch it! You will more than likely compromise any investigation by:

1 - Breaking the chain of evidence
2 - Make a mistake where the defense can claim you tampered with the it

You sound ill prepared for someone who does investigations.

I suggest giving this to a qualified forensic company.

Matt_s

Author: shednikLocation: Pittsburgh, PA PostPosted: Sat Nov 15, 2008 8:42 pm    Post subject:
    ----
I would definitely not touch the server until you are sure of the processes needed to investigate the server. If you don't you will chance ruining the admission of any possible evidence on the device

Author: ursdestinyLocation: Pakistan PostPosted: Sat Nov 22, 2008 7:01 pm    Post subject:
    ----
Well got this process after a lot of research on the Internet.

Boot the server using encase Bootable CD.

Image it through Encase.

and as i was working on a exchange server got the DB file and it worked perfectly.

the hashes were the same after the investigation Smile

I hope i got it right.

Author: PhiBerLocation: Your MBR PostPosted: Mon Nov 24, 2008 9:41 pm    Post subject:
    ----
You still do not have forensic credentials. As such, it still might be possible to discredit your research/steps taken to properly preserve evidence.

Author: ursdestinyLocation: Pakistan PostPosted: Tue Nov 25, 2008 5:32 am    Post subject:
    ----
Yes you guys might be right about my forensic capability but to put a question on a forum itself explains that.

So hopefully someone can explain the process now or have i put a wrong question?

Author: PhiBerLocation: Your MBR PostPosted: Tue Nov 25, 2008 9:13 pm    Post subject:
    ----
I know this article does not apply to your country, but it has some great "how-to" information in regards to digital investigations.

You may wish to take a look at the analysis for the Jule Amero case as well for further information on incorrect imaging.



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group