Security Basics mailing list archives

RE: Copying HDDs for forensic purposes?

From: "Steven A. Fletcher" <sfletcher () bcsc com>
Date: Mon, 17 Nov 2003 13:32:04 -0600

You would need to use a program that will make a sector by sector copy
of the drive and it must also make a copy of the "empty" sections of the
disk, since there could be deleted files in those areas.

I know that Symantec Ghost has a switch that they refer to as a
"forensic mode", but I have heard from some in law enforcement that this
still is not sufficient and you must use a special program, such as
Encase.  Of course, you would want to check with your local law
enforcement to see what they require.

Steve Fletcher, A+, MCP, MCSE (NT 4), Master ASE, CCNA, CCA
Senior Network Engineer
BCSC Technology Solutions
(309)664-8162
sfletcher () bcsc com
 
 
-----Original Message-----
From: Spencer D'oro [mailto:sdoro () comcast net] 
Sent: Saturday, November 15, 2003 12:09 PM
To: security-basics () securityfocus com
Subject: Copying HDDs for forensic purposes?

Hello to all,

I am interested in forensic examinations of hard drives.  In the little
material I have seen, the authors state that no examination should be
made
of an original device; that instead a copy should be made and all
examinations made to that device.  My question is this:  If you make a
copy
of the hard drive, does it copy the sectors that had recently deleted
files
or does it just mark them as blank in the partition table of the new
drive?
What if the source is physically damaged?  Or do you need a special
utility
to get the "erased" data?  Thanks in advance for the help.

Spencer


------------------------------------------------------------------------
---
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services
security to 
simplify the management and deployment of PGP and reduce overall PGP
costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027

------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------

Current thread:

Copying HDDs for forensic purposes? Spencer D'oro (Nov 17)
- Re: Copying HDDs for forensic purposes? Kelly Martin (Nov 17)
- Re: Copying HDDs for forensic purposes? Felecia Vlahos (Nov 17)
- RE: Copying HDDs for forensic purposes? Sgt. Elias (Nov 18)
- RE: Copying HDDs for forensic purposes? Sgt. Elias (Nov 19)
- <Possible follow-ups>
- RE: Copying HDDs for forensic purposes? Hunt, Jim (Nov 17)
- RE: Copying HDDs for forensic purposes? Steven A. Fletcher (Nov 17)
- SV: Copying HDDs for forensic purposes? Thomas Westlund (Nov 17)
- RE: Copying HDDs for forensic purposes? jay . stapleton (Nov 17)
  - Re: Copying HDDs for forensic purposes? Byron Sonne (Nov 17)
- RE: Copying HDDs for forensic purposes? Gene LeDuc (Nov 17)
  - RE: Copying HDDs for forensic purposes? Amin Lalji (Nov 18)
- RE: Copying HDDs for forensic purposes? Bermingham, Bob (Nov 18)
  - RE: Copying HDDs for forensic purposes? Suramya (Nov 18)
- RE: Copying HDDs for forensic purposes? Steven Vallarian (Nov 18)