Hi:

I need to do forensics on a Hard Drive, that is, I need to replicate a hard
drive, including any deleted files, onto CDROM disc(s) for examination viz.
a possible legal proceeding. I have not seen the computer equipment or
talked to the client but essentially this is the situation:

Boss fears an employee is stealing client information in order to start up
his own business. A desktop PC and a laptop computer needs to be examined
to determine if there's any digital evidence of this conduct. He's a good
employee so Boss does not wish to offend the employee with this suspicion.

I plan to do a sector by sector copy of the hard drives. I intend to remove
the hard drives in question (don't want to start up the systems themselves
and lose the swap file, caches, etc.), hook them up to a basic DOS system
and run GHOST 5.2 to create the image. Later, I will burn the CDROM
disc(s). The process needs to be documented to preserve a chain of evidence
and avoid any questionable handling which might undermine the evidence
gathering.

First, does anyone on this list do such forensic work? If so, what are your
recommendations?

Additionally, does anyone see a flaw in this course of action or can
suggest a better method?

Ultimately, what is the custom and trade practice of expert witnesses on
this subject? Suggestions for books are appreciated.

My background: I've been an attorney for over 20 years and an engineering
professor for 6 years but I haven't done expert witness work in this area.

Thanks, in advance, for your help.

John Chin

                  Visit our website regularly for FAQs,
               articles, how-to's, tech tips and much more
                          http://freepctech.com