eDiscovery and documentation

I attended a recent eDiscovery seminar. I wanted to poll the audience and get your thoughts on this subject. I was advised that you should not document your forensics process (criminal matters) because it then becomes discoverable and could be used against you in a court of law. Example: Let’s assume you have a documented forensics process that spells out you always have a cup of decaf coffee before examining a suspect’s machine. If you begin examining a suspect’s machine and forget to have that cup of decaf coffee you’ve now just made a gaping hole for the defense to use against you. Say goodbye to your credibility, Mr. Expert Witness no more.

On the other hand you must have a documented eDiscovery process (civil litigation). eDiscovery requires that your process is defensible and repeatable. You will need to be able to reproduce your eDiscovery process if called upon. However, there are no stipulations on how granular your process documentation must be. I would not recommend to spell out so many steps in your process that could leave you open for scrutiny. A generally broad eDiscovery process or flow that is published should suffice.

Please share your views below.

TrueCrypt: Avert Employer’s Computer Policy

Would you like to store personal data on an employer owned computer?  Does your employer have a policy about what can be stored on their machine?

To protect yourself from employer remote software/inventory scans (as well as a ton of other encrypted related uses) download TrueCrypt:


It will allow you to create an encrypted container.  So lets say you need 1GB for your mp3’s.   This program will make a 1GB file  and when you put in your password that file becomes another hard drive on your computer.   Then when you’re done or turn off the computer that extra hard drive goes away until you mount it again using your password.

Think of this as a FREE encrypted virtual thumb drive — (as long as you have a tough password)

Continue reading “TrueCrypt: Avert Employer’s Computer Policy”

Your Thoughts: Ad-hoc Monitor Port on WRT54G

I would like to run Snort and Bot Hunter on a spare Linux machine on my home LAN.  My local network uses the very common Linksys WRT54G wireless router.  Therefore I have a switched network which makes it very difficult to perform any type of network sniffing.

I’m asking for your thoughts and feedback to solve this problem.  Right now I’ve come up with the following solutions:

  • Connect a hub to the router’s WAN port.  Connect my cable modem and linux machine to the hub.
  • Install DD-WRT on the Linksys router.  Does DD-WRT yet support span / tap (monitor) ports?
  • Install two (2) NICs on the linux machine and route my cable modem through that before connecting to the router.
  • Buy an affordable Cisco 2600 router off of eBay.

Please share your ideas and thoughts on the subject.

Penentration Test Scenario’s

I’ve recently been trying to teach my young cousin the basics of computer security.  I started by having him get the Backtrack live-cd which is geared for penetration testing.

Once you have Backtrack running you need a dummy machine to test against.  People have packaged live-cd’s and virtual machines that are running some combination of the following:

  • Unpatched operating systems (Win XP SP1)
  • Unpatched applications (httpd, ftpd, etc)

You can find these ready to be exploited packages here:

Old softwares with bugs:

Do you have an old disc of Windows 9x or Redhat 6.2 lying around?

  1. Install VirtualBox
  2. Create your own virtual machine with those old OS discs that are now collecting dust

Have fun & remember to keep this limited to dummy machines 🙂