|
Most system administrators are really busy. If there is a problem on a machine they want to solve it and get the user back on line quickly.
Typically this will involve a bit of troubleshooting and a direct solution to the problem. Tools used for network problems include: rebuilding, defragmenting and restoring disks.
All of these are destructive - with regard to evidence that may be on a computer.
Does it make sense to ask a system administrator to perform an investigation using everyday tools when specialized forensic tools are really needed? If evidence may be on a computer it makes more sense to call a forensic specialist.
As with all outside consultants (investigators, lawyers, accountants) it is critical to comply with Fair Credit Reporting Act requirements for employee disclosure and agreement requirements.
|
| | |  | | 
We worked with the network administrator to solve an email threat case.
After demonstrating how Hotmail messages can be recovered from unallocated clusters on the suspect's hard drive.
He quickly caught on, however. Our affidavit regarding the case was accepted by a police department with jurisdiction, the suspect subsequently got to meet the men in blue.
Often when we work with network administrators who have not taken computer security courses (like the ones available at www.sans.org) they are completely unaware of computer forensic capabilities.
| | | | |
