Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Copying HDDs for forensic purposes?

From: "Amin Lalji" <amin.lalji () intelysis com>
Date: Tue, 18 Nov 2003 10:17:22 -0500
I came across this paper at 
http://www.linux-forensics.com/forensics/KNOPPIXValidation.pdf

In the paper, the author discusses using Knoppix for live previews
of hard drives while preserving the integrity of the data.

It seems Knoppix is validated for forensic use (according to the author)
When examining FAT32, NTFS, and EXT2 partitions. Apparently, it fails
the test when examining EXT3 partitions....

Anybody know if this is still true? 

I was unable to determine what version of Knoppix the author used ...
might try to contact him...

/A


-----Original Message-----
From: Gene LeDuc [mailto:Gene.LeDuc () tns-md com] 
Sent: Monday, November 17, 2003 3:38 PM
To: 'Spencer D'oro'
Cc: security-basics () securityfocus com
Subject: RE: Copying HDDs for forensic purposes?

I've done this to a NTFS partition using dd (to do the copy) under linux
and
then examining the file (flagged R/O) with sleuthkit and autopsy (both
free).  Sleuthkit provides the back-end forensic utilities and autopsy
provides a web server interface to sleuthkit so that you can do your
digging
from any browser.  I installed both on a RedHat 8 system and it did what
I
needed; I used it mostly to recover files that had been deleted and then
cleared from the Windows Recycle Bin.  Use www.sleuthkit.org as your
starting point if this is the way you want to go.

Regards, and happy hunting!
Gene

-----Original Message-----
From: Spencer D'oro [mailto:sdoro () comcast net]
Sent: Saturday, November 15, 2003 10:09 AM
To: security-basics () securityfocus com
Subject: Copying HDDs for forensic purposes?


Hello to all,

I am interested in forensic examinations of hard drives.  In the little
material I have seen, the authors state that no examination should be
made
of an original device; that instead a copy should be made and all
examinations made to that device.  My question is this:  If you make a
copy
of the hard drive, does it copy the sectors that had recently deleted
files
or does it just mark them as blank in the partition table of the new
drive?
What if the source is physically damaged?  Or do you need a special
utility
to get the "erased" data?  Thanks in advance for the help.

Spencer


------------------------------------------------------------------------
---
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services
security to

simplify the management and deployment of PGP and reduce overall PGP
costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027

------------------------------------------------------------------------
----

------------------------------------------------------------------------
---
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services
security to 
simplify the management and deployment of PGP and reduce overall PGP
costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027

------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: