Wednesday, March 17, 2010

Knew it was going to happen....

It finally happened. Those "old school" forensic practices caught some colleagues while seizing a Dell laptop. The old practice of pulling the plug led to the drive being inaccessible when they returned to the lab due to a bios password being present. The actual hard drive was removed but various imaging techniques did not work. That being said, RAM had been imaged and a password was located in RAM (for an email account). Luckily the password was the same and we were able to access the drive.

One more reason to hasten our move to 100% live imaging at the scene; grabbing both the RAM and the drive. One more reason to get F-Response for everyone in the office!

FYI...once we had the password, we booted the laptop (with hard drive enclosed) using Helix Pro. Using Helix, we imaged the drive to a RW-mounted wiped external USB drive. Worked like a charm.

Good guys 1 - Bad guys 0 (but just barely).

No comments:

Post a Comment