Security Basics mailing list archives
RE: Copying HDDs for forensic purposes?
From: "Sgt. Elias" <sgt.elias () chello se>
Date: Tue, 18 Nov 2003 18:27:50 +0100
Hi Spencer One important rule when it comes to computer forensic is that never conduct an examination of the original media, but always use a bit for bit mirror copy of the original. When searching through a hard drive while running windows, opening files may unintentionally modify evidence. Even booting windows results in a number of files being altered. And because digital data can be so easily changed, a judge or defense attorney may raise the question of possible tampering with the original media if it is directley examined and serve as the only evidence. To ensure that evidence will be valid and will hold in court you may do it this way. Boot the evidence computer with another operating system, such as Linux or DOS then use a checksum or secure hash (MD5 or SHA-1) applications to create file and directory signatures. When using DOS or Linux as an alternate OS it prevents windows to making file changes on start up. The copy should be made on sterile media new or "wiped" to ensure that there are no residual data left. After copying, use the checksum or hash utility to verify that copy is identical to the original. And the entire process schuld be well documented and the original harddrive stored in a secure location. Then start the work to find whatever you are looking for Btw A great book is Secrets of Computer Espionage: Tactics and countermeasures by Joel McNamara. www.ncjrs.org/pdffiles1/nij/196352.pdf www.encase.com www.ilook-forensics.org www.ontrack.com www.symantec.com Norton utilities www.jasc.com Quick view plus Gl hf Elias -----Original Message----- From: Spencer D'oro [mailto:sdoro () comcast net] Sent: den 15 november 2003 19:09 To: security-basics () securityfocus com Subject: Copying HDDs for forensic purposes? Hello to all, I am interested in forensic examinations of hard drives. In the little material I have seen, the authors state that no examination should be made of an original device; that instead a copy should be made and all examinations made to that device. My question is this: If you make a copy of the hard drive, does it copy the sectors that had recently deleted files or does it just mark them as blank in the partition table of the new drive? What if the source is physically damaged? Or do you need a special utility to get the "erased" data? Thanks in advance for the help. Spencer ------------------------------------------------------------------------ --- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Copying HDDs for forensic purposes? Spencer D'oro (Nov 17)
- Re: Copying HDDs for forensic purposes? Kelly Martin (Nov 17)
- Re: Copying HDDs for forensic purposes? Felecia Vlahos (Nov 17)
- RE: Copying HDDs for forensic purposes? Sgt. Elias (Nov 18)
- RE: Copying HDDs for forensic purposes? Sgt. Elias (Nov 19)
- <Possible follow-ups>
- RE: Copying HDDs for forensic purposes? Hunt, Jim (Nov 17)
- RE: Copying HDDs for forensic purposes? Steven A. Fletcher (Nov 17)
- SV: Copying HDDs for forensic purposes? Thomas Westlund (Nov 17)
- RE: Copying HDDs for forensic purposes? jay . stapleton (Nov 17)
- Re: Copying HDDs for forensic purposes? Byron Sonne (Nov 17)
- RE: Copying HDDs for forensic purposes? Gene LeDuc (Nov 17)
- RE: Copying HDDs for forensic purposes? Amin Lalji (Nov 18)
- RE: Copying HDDs for forensic purposes? Bermingham, Bob (Nov 18)
- RE: Copying HDDs for forensic purposes? Suramya (Nov 18)
(Thread continues...)