[...]... monitors, electronic instrument information from devices that are in the area (cellular telephones, pagers, etc.), and cabling connections (including under the floor if the floor is raised) Make sketches as necessary If there is an active modem connection (flashing lights indicating communication in progress), quickly unplug it and obtain internal modem information via an rs-232 connection to your laptop Is it... to be helpful in the past so will I include them Where do you obtain these files? The DOS commands/drivers may be obtained from a trusted machine in the c:\windows and c:\windows\command directories The driver files and some of the executables may be obtained from the media provided with the Adaptec SCSI card and from Ecrix and Iomega media provided with those products You may also obtain files from their... Now, any files that were deleted from drive C are in a single file (FreeC) This may provide some excellent data related to the case we are working on Swap Files and GetSwap New Technologies, Inc http://www.Forensics-Intl.com If the bitstream backup that is on drive C of your AC is a Microsoft Windows operating system or any other operating system that contains static swap files, you will want to copy these... system, copy the Windows temporary files to your Zip Drive D These files have a tmp extension The easiest way to find these files is as follows: Ⅲ Ⅲ Ⅲ Ⅲ Ⅲ Ⅲ Ⅲ Ⅲ Click on Start with the left mouse button Move the mouse pointer to Find Click on Files or Folders Place *.tmp in the Named: box Leave the Containing Text: box blank Place c:\ in the Look in: box A checkmark should be in the Include subfolders... personnel involved with the system? Ⅲ What type of work is this organization involved with (current and past)? Ⅲ Who first noticed the incident? Who first reported the incident? When? Ⅲ Did the person who noticed the incident touch anything besides the telephone? Ⅲ Does anyone else in the company know of this? Ⅲ Based on records from Physical Security, what time did each of the personnel arrive in the building... SafeBack New Technologies, Inc http://www.Forensics-Intl.com Upon your initial arrival at a client site, obtain a bitstream backup of the compromised systems A bitstream backup is different from the regular copy operation During a copy operation, you are merely copying files from one medium (the hard drive, for instance) to another (e.g., a tape drive, Jaz Drive, etc.) When performing a bitstream backup... assortment of diskettes GetFree New Technologies, Inc http://www.Forensics-Intl.com Now we want to obtain the content of all unallocated space (deleted files) on drive C of your AC and place this data in a single file This single file can be placed on a diskette (or Zip Drive if more space is needed) ©2002 CRC Press LLC Once again, you can type the following to see the syntax of this program: getfree ... to abide by while conducting this investigation? ©2002 CRC Press LLC Chapter 3 Evidence Collection Procedures Chapter 3 will discuss evidence collection tools and cover the procedures involved with collecting evidence so that the evidence will usually be admissible in a court of law Ⅲ What is Locard’s Exchange Principle? Anyone, or anything, entering a crime scene takes something of the crime scene with... (or Windows 2000, which is essentially NT 5), copy the pagefile.sys file to a separate Zip Disk(s) You must do this copy operation in DOS mode (not a DOS window running under NT) because while Windows NT is running, the pagefile.sys file is being used and you cannot perform the copy To perform this copy operation, go to the directory where pagefile.sys resides (usually c:\winnt\system32\) and, assuming your... c:\winnt\system32\) and, assuming your Zip Drive is drive D, use the following command: c:\winnt\system32\copy pagefile.sys d: For systems such as Microsoft Windows 95 or 98, look for win386.swp in c:\ windows Perform the same type of copy operation under DOS: c:\windows\copy win386.swp d: ©2002 CRC Press LLC Under other Microsoft Windows systems, look for a file called 386SPART.PAR and perform the . in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing. aircraft hijackings, and businesses and homes being broken into. Almost nothing in the physical world is really secure. If someone wants to focus on or target something, more than likely they will obtain. them to be helpful in the past so will I include them. Where do you obtain these files? The DOS commands/drivers may be obtained from a trusted machine in the c:windows and c:windowscommand directories.