BreachExchange mailing list archives
Re: TN: Election Commission laptop harddrive found
From: Chris Walsh <chris () cwalsh org>
Date: Fri, 18 Jan 2008 23:19:24 -0600
Sorry folks -- my sarcasm was not as overt as I thought when I made my original comment. I had in mind reading/writing via a raw device (to use UNIX parlance), which would make your actions undetectable -- much as David is saying. The Attrition folks have a rant on this subject -- http://attrition.org/dataloss/forensics.html On Jan 18, 2008, at 2:38 PM, David C. Smith wrote:
I am not sure about ghost, but it can be done with the unix dd command. It creates a forensically sound bit image of the source. http://www.forensicswiki.org/wiki/Dd. Dd images do hold up in court as evidence and you can use MD5 sums to prove changes were not made. You may also view the drive with write blockers like http://www.forensicswiki.org/index.php?title=Write_Blockers which would not alter the source drive.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- TN: Election Commission laptop harddrive found lyger (Jan 18)
- Re: TN: Election Commission laptop harddrive found Chris Walsh (Jan 18)
- Re: TN: Election Commission laptop harddrive found Tracy Blackmore (Jan 18)
- Re: TN: Election Commission laptop harddrive found Max Hozven (Jan 18)
- Re: TN: Election Commission laptop harddrive found Daniel Clemens (Jan 18)
- Re: TN: Election Commission laptop harddrive found David C. Smith (Jan 18)
- Re: TN: Election Commission laptop harddrive found Chris Walsh (Jan 18)
- Re: TN: Election Commission laptop harddrive found James Childers (Jan 18)
- Re: TN: Election Commission laptop harddrive found Chris Walsh (Jan 18)