Full Disclosure mailing list archives
Re: Re: Forensics help?
From: Red Leg <redleg18 () gmail com>
Date: Tue, 13 Sep 2005 10:27:21 -0400
On 9/13/05 8:32 AM, "Paul Robertson" <compuwar () gmail com> wrote:
On 9/12/05, Red Leg <redleg18 () gmail com> wrote:Hey Thanks! Can I use the copy made by dd for the analysis? Specifically... 1)I want to go to the site, 2)copy the drive, 3)take the copy made back to my location, 4) restore the data to another drive and mount it to an existing system and then 5) forensically analyze the restored copy for deleted files. Can I use your directions to accomplish that?What do you mean by "forensically analyze?"
Actually, I meant that I wanted to use an unease program on the hard drive to find erased files. Sorry about the confusion. Thank you and druid!
dd may[0] make a copy that's good for forensic analysis, but depending on what's on the drive and how you mount it, you may alter things by mounting it. If you're not completely sure of what you're doing[1], you'll want to make a copy of your copy [so restoring to another drive *is* good] if you don't have a hardware write-blocker. You'll also want MD5s or other hashes of the original and the copies to verify that you've got the data. If there is a DCO or HPA then it may impact the value of the image depending on how you intend to use it and how it's acquired. if it's for something that may go to court (including as an unfair dismissal case,) you'll probably want to try to get someone who's done it before to do the analysis of the image, if not the imaging itself[2].
Amen! I haven't done this before. And, I wouldn't be doing this, if the data was going to court.
Also, you'll want to keep chain-of-custody documentation for the image and if necessary, the original. I tend to like to make an extra copy onsite and put that back into the system, keeping the original for evidentiary value.
Thanks. I really appreciate the advice! It is very obvious that computer forensics is a separate discipline that requires formal training and even some apprentice time.
If you haven't done it before, practice on a similar target system and verify both your process and your tools end-to-end. Linux's "read-only" mounting of journaled filesystems is an example of why validation is necessary. Paul [0] dcfldd is better at drives with errors and will automatically checksum [1] Uncleanly shut down filesystems, journaling filesystems and fun things like that may impact your ability to mount the image read-only. [2] I have had folks do imaging in the past with tools I've provided, then had them FedEx me the image, but generally only if we think they won't need to testify. -- www.compuwar.net
Thanks a lot! I've got some studying to do! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-disclosure Digest, Vol 7, Issue 25 druid (Sep 12)
- Re: Re: Forensics help? Red Leg (Sep 12)
- Re: Re: Forensics help? druid (Sep 12)
- Re: Re: Forensics help? fd (Sep 12)
- Re: Re: Forensics help? Paul Robertson (Sep 13)
- Re: Re: Forensics help? Red Leg (Sep 13)
- Re: Re: Forensics help? druid (Sep 12)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 fd (Sep 12)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 Gary E. Miller (Sep 12)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 fd (Sep 13)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 Gary E. Miller (Sep 13)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 2 Gary E. Miller (Sep 13)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 Ron DuFresne (Sep 13)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 Gary E. Miller (Sep 12)
- RE: Re: Full-disclosure Digest, Vol 7, Issue 25 Aditya Deshmukh (Sep 13)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 Peer Janssen (Sep 13)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 Gary E. Miller (Sep 13)
- Re: Re: Full-disclosure Digest, Vol 7, Issue 25 lonely wolf (Sep 14)
- Re: Re: Forensics help? Red Leg (Sep 12)