RE: Copying HDDs for forensic purposes?

[Steven Vallarian <svallarian () csa1 com>]

A related question...

I know that you should md5 the image file to show in court that the drive
image hasn't
been tampered with (and compare it to an md5 sum of the hard drive), but how
do you 
do get an md5 sum for the entire hard drive (that's not in image format?)


Steven V.


> Hello to all,
>
> I am interested in forensic examinations of hard drives.  In the little
> material I have seen, the authors state that no examination should be made
> of an original device; that instead a copy should be made and all
> examinations made to that device.  My question is this:  If you make a
copy
> of the hard drive, does it copy the sectors that had recently deleted
files
> or does it just mark them as blank in the partition table of the new
drive?
> What if the source is physically damaged?  Or do you need a special
utility
> to get the "erased" data?  Thanks in advance for the help.
>
> Spencer
---------------------------------------------------------------------------
> Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> The Presidio integrates PGP data encryption and XML Web Services security
to
> simplify the management and deployment of PGP and reduce overall PGP costs
> by up to 80%.
> FREE WHITEPAPER & 30 Day Trial -
> http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------