The client's first concern was the potential correlation between the posting of messages/content to a site that housed illegal images and the distribution of large files from its FTP Server. Was an employee using their FTP server to distribute pornography?

We advised the client that if it intended to prosecute, it would need to work within the legal framework of forensic investigations. Most notably, it would be critical for the forensic data to be authenticated as genuine.

Many of the actions an individual might take, including rebooting the machine, copying files from the server, and reviewing security logs, can alter the drive data. The client's management was adamant about conducting the investigation in a manner that would provide the opportunity to prosecute if necessary. The client's lawyer also believed that by demonstrating due diligence, it would minimize the risk of a third party taking legal action against the organization as a result of the hack.

A particularly important legal case, "Gates Rubber Co. vs. Bando Chemical Indus, Ltd," helped define the mandatory legal duty of a forensic investigator with regard to creating a mirror image copy of the hard drive in a manner that maintains chain of evidence and custody. In that case, the investigator's decision to perform logical "file-by-file" copying to preserve the evidence precluded legal use of the data because the copying might have resulted in lost information and the creation of new temporary files on the media.

[/snip]

There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie. Noel Godin