Re: TN: Election Commission laptop harddrive found

[Chris Walsh <chris () cwalsh org>]

Sorry folks -- my sarcasm was not as overt as I thought when I made my  
original comment.

I had in mind reading/writing via a raw device (to use UNIX parlance),  
which would  make your actions undetectable -- much as David is saying.

The Attrition folks have a rant on this subject -- http://attrition.org/dataloss/forensics.html


On Jan 18, 2008, at 2:38 PM, David C. Smith wrote:
> I am not sure about ghost, but it can be done with the unix dd  
> command.
> It creates a forensically sound bit image of the source.
> http://www.forensicswiki.org/wiki/Dd.  Dd images do hold up in court  
> as
> evidence and you can use MD5 sums to prove changes were not made.  You
> may also view the drive with write blockers like
> http://www.forensicswiki.org/index.php?title=Write_Blockers which  
> would
> not alter the source drive.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml