forensic computer research

[simon tyszko]

anyone around who can advise on forensically searching our stolen but found pc in search of crypto and things....

horrid domestic got out of hand with an old friend of mine and it needs a careful and considered approach.

the police are aware of the situation yet no case open as such yet.....

phew....

ta very

best s

[Mark Steward]

Take the hard drive out and image it. You can then do what you want with the original, probably wipe it.

Mark

--
You received this message because you are subscribed to the Google Groups "London Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-space+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Hewison]

I can confirm that this is the best course of action. Always assume the computer has been compromised, don't run any code from that hard disk, if you had a backup, now is the time to test your 'bare metal' restore process with a backup taken before it was out of your hands.

If you didn't have a backup, then reinstall to a fresh disk from any manufacturer-provided restore image, restore any purchased or otherwise installed software from known good sources, then very carefully copy only the data files that you cannot possibly recreate or restore from the compromised disk image, ideally using tools that will never try to intrepret or preview anything on the disk (e.g. a linux live CD is probably better than using Windows Explorer)

On Wednesday, 4 April 2018 14:09:28 UTC+1, Mark Steward wrote:

Take the hard drive out and image it. You can then do what you want with the original, probably wipe it.

Mark

On Wed, Apr 4, 2018 at 1:40 PM, simon tyszko <simonp...@gmail.com> wrote:

anyone around who can advise on forensically searching our stolen but found pc in search of crypto and things....

horrid domestic got out of hand with an old friend of mine and it needs a careful and considered approach.

the police are aware of the situation yet no case open as such yet.....

phew....

ta very

best s

--
You received this message because you are subscribed to the Google Groups "London Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-sp...@googlegroups.com.

[simon tyszko]

absolutely, this is the route we are taking.

once we have the cone I may basking for a little more advice...

ta

s

[simon tyszko]

finally getting round to this and found the laptop is an acer notebook....soldered 30gb flash drive and so far unremovable windows secure boot, meaning I cannot launch a linux live usb......

I have so little experience with windows and find each stage to be like pulling teeth.....

any directions or suggestions gratefully received.

ta

s

[JJ]

Which flavour of Linux are you trying to boot because I have a fairly recent cheap Acer which ultimately I couldn't get grub to install on but would boot the Ubuntu 14.04 or 16.04 installer, 32-bit only, so if that's not what you've tried, then give it a try.  My understanding is that the UEFI secure boot has keys for a handful of 'trusted' *nix versions.  Also see if there's a 'legacy' boot option.

JJ

[Yvan Janssens]

Based on the situation, contract a professional. If it's a "horrid domestic got out of hand" and "the police are aware" is applicable, touching it yourself will likely just contaminate the trail of evidence and it'll just get thrown out of court if it ever needs to come that far.

I'd recommend to avoid tampering with it. If you just want to erase it and return it to working condition and not care about the data, just do that. 

[Jack Chidley]

Secure boot is a system thing, not a Windows thing. Linux can work with it too, see http://rodsbooks.com/refind/secureboot.html