Nitschke: Beyond good and evil. "We lost two computers, many, many disks and files, all of them electronic," said Dr Nitschke shortly after the Darwin raid. "Not much in the way of paper material, but some drugs that are part of this medical practice. "When they turned up, they drove in en masse and came straight in. I was working at my computer, which is now gone." Dr Nitschke said anything the police couldn't open was "bolt-cuttered". Dr Nitschke said Exit Australia had temporarily lost contact with its clients. "I've got heaps of patients, I contact them a lot and need that stuff back as fast as possible," he said. "The police said they would work quickly and give me a copy of my disks. They said they would hold on to (the original) material for as long as they needed it." They work fast phill,regular speed freaks.(actually drug squad 'B' in Vic.are!) For next time and interested bystanders...Tricks of the trade (FROM Computer forensics tips By Michael Jackman, TechRepublic 07 August 2002.Znet)Extract... Incident response staff will need to understand the tricks used to thwart investigators and hide evidence. These tricks might include: Hiding data within files, such as .gif and .jpg pictures, a practice called steganography. Altering filenames and extensions to disguise evidence as innocent files, such as renaming a pornographic .jpg to gotmail.wav. Hiding files in unlikely places. Using Zero Link files (in Unix) that don’t associate with any directory. Modifying operating system utilities so that certain data is not listed or found during keyword searches. Sabotaging a computer so that, if it is investigated, a logic bomb will be triggered. Saboteurs also give hostile programs friendly names such as find.exe. Erasing files or disk space with file shredding utilities. These techniques represent just some of the tricks investigators are up against. Don’t wait until an incident has happened—create an incident response procedure now and invest in training and tools. If you wait for an incident to happen before acting, your company (and your reputation) will be damaged. In the meantime, these tips will help you determine whether an investigation is being conducted professionally. Additional resources 1. Web sites High Technology Crime Investigative Association—This organisation accepts members from law enforcement, corporate management, and corporate security staff. However, anyone may download its newsletter containing forensic tips and information. The June 2002 issue, for example, contained tips on how to recover deleted Outlook e-mail by corrupting and then rebuilding a copied Outlook .pst file. LC Technology International makes sophisticated data recovery tools and provides forensics training and investigative services. The Department of Justice offers guidelines for searching and seizing computers. SecurityStats.com provides digests of the latest statistics and analyses relating to computer security. These stats will help you justify a forensics budget to cover equipment, staff, and training. The Department of Justice Cybercrime Web site has news, articles, and other information. Same DoJ?-JUDICIARY COMMITTEE REPORT CALLS FOR INDEPENDENT COUNSEL TO INVESTIGATE THE INSLAW CONTROVERSY -------------------------------------------------------------------------------- The ("INSLAW Affair") report concludes that there appears to be strong evidence, as indicated by the findings of two Federal court proceedings, as well as by the Committee investigation, that the Department of Justice "acted willfully and fraudulently," and "took, converted and stole," INSLAW's Enhanced PROMIS by "trickery, fraud and deceit."