Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Copying HDDs for forensic purposes?

From: "Bermingham, Bob" <Bob.Bermingham () idc-mcs com>
Date: Mon, 17 Nov 2003 14:31:52 -0800
Why not try this: http://www.coreprotect.com/core_shield.html ?

Basically, to maintain evidence a drive must be "pristine". In other
words, the drive cannot be altered in any fashion during examination.
CoreSHIELD enables you to actually boot to the device, but any writes
destined for the drive are deflected away.


**Disclaimer** - I am affiliated with CorePROTECT. I don't typically
respond to the list with advertisements, but I figured it was
appropriate in this case.

-bob.

-----Original Message-----
From: Steven A. Fletcher [mailto:sfletcher () bcsc com] 
Sent: Monday, November 17, 2003 11:32 AM
To: Spencer D'oro; security-basics () securityfocus com
Subject: RE: Copying HDDs for forensic purposes?

You would need to use a program that will make a sector by sector copy
of the drive and it must also make a copy of the "empty" sections of the
disk, since there could be deleted files in those areas.

I know that Symantec Ghost has a switch that they refer to as a
"forensic mode", but I have heard from some in law enforcement that this
still is not sufficient and you must use a special program, such as
Encase.  Of course, you would want to check with your local law
enforcement to see what they require.

Steve Fletcher, A+, MCP, MCSE (NT 4), Master ASE, CCNA, CCA
Senior Network Engineer
BCSC Technology Solutions
(309)664-8162
sfletcher () bcsc com
 
 
-----Original Message-----
From: Spencer D'oro [mailto:sdoro () comcast net] 
Sent: Saturday, November 15, 2003 12:09 PM
To: security-basics () securityfocus com
Subject: Copying HDDs for forensic purposes?

Hello to all,

I am interested in forensic examinations of hard drives.  In the little
material I have seen, the authors state that no examination should be
made
of an original device; that instead a copy should be made and all
examinations made to that device.  My question is this:  If you make a
copy
of the hard drive, does it copy the sectors that had recently deleted
files
or does it just mark them as blank in the partition table of the new
drive?
What if the source is physically damaged?  Or do you need a special
utility
to get the "erased" data?  Thanks in advance for the help.

Spencer


------------------------------------------------------------------------
---
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services
security to 
simplify the management and deployment of PGP and reduce overall PGP
costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027

------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services
security to 
simplify the management and deployment of PGP and reduce overall PGP
costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027

------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: