Re: Re: Forensics help?

[Red Leg <redleg18 () gmail com>]

On 9/13/05 8:32 AM, "Paul Robertson" <compuwar () gmail com> wrote:

> On 9/12/05, Red Leg <redleg18 () gmail com> wrote:
> > Hey Thanks!
> >
> > Can I use the copy made by dd for the analysis? Specifically... 1)I want to
> > go to the site, 2)copy the drive, 3)take the copy made back to my location,
> > 4) restore the data to another drive and mount it to an existing system and
> > then 5) forensically analyze the restored copy for deleted files.
> >
> > Can I use your directions to accomplish that?
>
> What do you mean by "forensically analyze?"

Actually, I meant that I wanted to use an unease program on the hard drive
to find erased files. Sorry about the confusion. Thank you and druid!

>  dd may[0] make a copy
> that's good for forensic analysis, but depending on what's on the
> drive and how you mount it, you may alter things by mounting it.  If
> you're not completely sure of what you're doing[1], you'll want to
> make a copy of your copy [so restoring to another drive *is* good] if
> you don't have a hardware write-blocker.  You'll also want MD5s or
> other hashes of the original and the copies to verify that you've got
> the data.  If there is a DCO or HPA then it may impact the value of
> the image depending on how you intend to use it and how it's acquired.
>
> if it's for something that may go to court (including as an unfair
> dismissal case,) you'll probably want to try to get someone who's done
> it before to do the analysis of the image, if not the imaging
> itself[2].

Amen! I haven't done this before. And, I wouldn't be doing this, if the data
was going to court.


> Also, you'll want to keep chain-of-custody documentation
> for the image and if necessary, the original.  I tend to like to make
> an extra copy onsite and put that back into the system, keeping the
> original for evidentiary value.

Thanks. I really appreciate the advice!

It is very obvious that computer forensics is a separate discipline that
requires formal training and even some apprentice time.


> If you haven't done it before, practice on a similar target system and
> verify both your process and your tools end-to-end.  Linux's
> "read-only" mounting of journaled filesystems is an example of why
> validation is necessary.
>  
> Paul
> [0] dcfldd is better at drives with errors and will automatically checksum
> [1] Uncleanly shut down filesystems, journaling filesystems and fun
> things like that may impact your ability to mount the image read-only.
> [2]  I have had folks do imaging in the past with tools I've provided,
> then had them FedEx me the image, but generally only if we think they
> won't need to testify.
> --
> www.compuwar.net


Thanks a lot!

I've got some studying to do!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/