RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

[Gene LeDuc <Gene.LeDuc () tns-md com>]

I use linux for this because it leaves the NTFS file system completely
unmodified.  It doesn't diddle with any time stamps, hidden recycler folders
or anything else.  Everytime I've attached a  new NTFS drive to a w2k
system, it touches things on it during the boot process and the file system
is no longer what I consider clean.  My experience with doing this sort of
thing is from a forensics perspective where you do not want anything on the
target file system modified in any way, especially time stamps and
unallocated disk space.  I don't think linux is the do-all and end-all for
computing, but I absolutely will not use Windows when I need to know what is
going on beneath the skirts of the OS.  And since I've been doing a lot of
NTFS data recovery using linux recently, that was what popped into my mind
when I read the original post.  After I'd written my linux piece I realized
that this person probably didn't care whether his NTFS system got tagged by
another Windows OS or not, so I added the bit about strapping it to another
Windows box.


-----Original Message-----
From: Raoul Armfield [mailto:armfield () amnh org]
Sent: Thursday, June 19, 2003 9:32 AM
To: security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows
hard -disk search tool?


:-----Original Message-----
:From: Gene LeDuc [mailto:Gene.LeDuc () tns-md com] 
:Sent: Wednesday, June 18, 2003 6:20 PM
:To: 'Wilcox, Stephen'
:Cc: security-basics () securityfocus com
:Subject: RE: Digital Evidence Question - What is an effective 
:Windows hard -disk search tool?
:
:
:If all you want to do is recover the info, you can attach the 
:hard drive to
:a linux box and mount the NTFS partition.  From that point you 
:can browse
:the NTFS file system and copy any files you want.  Depending 
:on the flavor
:and version of linux, you may have to load an NTFS driver; I believe
:sourceforge has a read-only driver.  If you don't have a linux 
:box hanging
:around then I suppose you could also attach the drive to 
:another MS box and
:access it natively.

Let me start by saying I have learned a lot from this list.  However,
my question now is, why do so many of you try to solve everything
using linux.  I realize that linux is an excellent OS and a true NOS
however, in this case isn't that like going to points C and D to get
from A to B?  Like Chris Berry said and Gene LeDuc conceded, simply
drop it into a Win2K box as a slave and copy the files. Worse come to
worse you take ownership of the files in question (you do have admin
rights on a Win2K box right?)  Sometimes we get lost in the simplicity
of the answer.  No need to load NTFS drivers in linux.

Raoul


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------