Re: Copying HDDs for forensic purposes?

[Kelly Martin <kel () securityfocus com>]

On Sat, 15 Nov 2003, Spencer D'oro wrote:

> I am interested in forensic examinations of hard drives.  In the little
> material I have seen, the authors state that no examination should be made
> of an original device; that instead a copy should be made and all
> examinations made to that device.  My question is this:  If you make a copy
> of the hard drive, does it copy the sectors that had recently deleted files
> or does it just mark them as blank in the partition table of the new drive?
> What if the source is physically damaged?  Or do you need a special utility
> to get the "erased" data?  Thanks in advance for the help.

Spencer, there are many different ways to copy entire drives for forensic
purposes, and lots of tools (commercial and freeware) available so that
you can get an exact copy including deleted files.

Check out the forensics section of the SecurityFocus Incidents archive at
http://www.securityfocus.com/infocus/incidents and you'll see quite a few
articles that you may find useful. Whether the drive is used under Windows
or a variant of Unix will determine which toolset you use. Good luck.

-- Kelly Martin SecurityFocus kel () securityfocus com +001-403-261-5468

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------