I doubt that the TeamView method is valid "generally".
I mean in forensics (real digital forensics) the procedure is almost invariably the same (with some possible exceptions of course):
"freeze" everything exactly "as is" and at the earlier possible moment in time, make an exact copy of the disk, then review it's contents.
With TeamView (or similar) you are working "online" on a PC running an "unknown" OS with the user (let's call it "suspect") physically in front of the actual PC - possibly largely bothered by the procedure and not willing to cooperate, and able to run commands in it, enable/disable/connect/disconnect devices, etc..
The possibilities of "counter-forensics" actions seem to me almost infinite.
If the thingy is "serious" (money involved, as you mentioned, etc.) a possible solution (cannot say how viable this could be) could be that of having players use for the game a "dedicated" machine, and you (or the "tournament referees" or whomever) establish a way to take an image of the machine (or of the relevant parts/registry, filesystem tables, etc) at the time of enrollment and another one an the end (this latter only in case the player ranks high enough and there is a claim he/she "cheated").
The image(s) need could be made (and stay) "locally" and transfered to the "cheat detectives" only if needed.
Basically a tool that when run"snapshots" (besides the Registry) also some other key parts of the OS/filesystem and stores them in a (compressed/encrypted) container, MD5 or SHA hashed, ready to be - if needed - transmitted to the "cheat detectives".
jaclaz
↧