Security Incidents mailing list archives
RE: maybe a simple problem
From: "Clayton Hoskinson" <clayton () coxinet net>
Date: Sat, 5 Oct 2002 08:08:56 -0500
Ghost will do a forensic image depending on the version you are using the switches are different. In 2002 the switches are -ir and -fnf, in 2003 the switch is -ia there is a text file that explains the switches and their use with Norton I would read that to determine which ones to use depending on the version you are using. Of course do some testing to make sure you are creating a true forensic image. Clayton
-----Original Message----- From: george.wasgatt () insurity com [mailto:george.wasgatt () insurity com] Sent: Friday, October 04, 2002 8:48 AM To: SRobinson () HIPUSA com; george.wasgatt () insurity com; greg.reber () astechconsulting com; afison () brit-tex net; incidents () securityfocus com Subject: RE: maybe a simple problem You are surely right, and if I had actually thought it though before writing I would have remembered. A normal GHOST image doesn't bother backing
up
unused space just the stuff the file system says is in use. And yes, there is a bit by bit option that I've had to use when there was a damaged
file
system or corrupt disk sectors were encountered. -----Original Message----- From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] Sent: Friday, October 04, 2002 9:22 AM To: 'george.wasgatt () insurity com'; greg.reber () astechconsulting com; afison () brit-tex net; incidents () securityfocus com Subject: RE: maybe a simple problem I'm not sure if the newest version does a bit by bit copy. I can't remember the switch off hand either since we never used it in my work for a forensics tool. However, I can try to find it as I believe it DOES have the physical capability. Historically, Ghost produced a logical "image or mirror"
of
the drive, it was not a forensic "bit by bit" copy. It only did a logical image unless specfically told otherwise, i.e. a physical bit copy. For
example,
a core build using GHOST was used to roll out 100 workstattions. The physical drive size in each machine could vary say from 12GB to 20GB, howver,
the
GHOST image was 6GB so this would be your logical drive. Howver, forensically speaking, this is not your TRUE drive that must be
copied.
There could be 6-14GB difference and could present issues in court
since
you now don't have the "original" drive. You must be careful when doing a copy that may have potential
litligation
issues, civil or criminal. A logical copy of the drive (normally what
you
get using ghost) while this is good for productin is NOT good for forensics. You must make sure that you can recreate deleted files and obtain the miriad of pieces located in swap, unallocated and free space onthe ENTIRE physical drive not just the logical pieces. Safeback, snapback, encase etc have stood up in court. I am not sure about GHOST. It could if you have that switch (which I can't remember w/o
some
research) and you can prove that the physical copy from GHOST is
identical
to that of the original drive, i.e # of sectors, bits, etc. Suggested
you
hash the drives using MD5 hash or similar. Even using safeback, etc.
you
should still verify that you have made the forensic copy not the
logical
copy as they give you options to do so. -----Original Message----- From: george.wasgatt () insurity com [mailto:george.wasgatt () insurity com] Sent: Friday, October 04, 2002 7:36 AM To: Robinson, Sonja; greg.reber () astechconsulting com; afison () brit-tex net; incidents () securityfocus com Subject: RE: maybe a simple problem What is the certain switch in GHOST and why is it necessary. I
thought
that GHOST defaults produced a saved copy of the disk drive bit by bit the
same
as the original. -----Original Message----- From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] Sent: Thursday, October 03, 2002 1:04 PM To: 'Greg Reber'; Andrew Fison; incidents () securityfocus com Subject: RE: maybe a simple problem IF you alter the files onthe machine they will not hold up in court.
You
must do a bit level back up which is normally done using a tool such
as
safeback, snapback, encase ,etc. You canuse Ghost if you have a
certain
switch set but I would not suggest it. Normally you must be
physically
present to do so. 1) DO not boot the machine or do a back up. You may destroy the
files
and evidence you need by doing so 2) Using an approved FORENSIC method/tool (safeback, snapback,
encase,
SOloMasster, etc. Make TWO forensic copies. 1 for them to put back
in
their machine and 1 for you to use as a back up to restore as many
times
as necessary if you are going drive to drive. If oyu are using a non- intrusive means of analysis such as encase then you can do analysis on this
drive as
long AS YOU KEEP THE ORIGINAL COPY IN CUSTODY. I always suggest and original and a forensic copy (unused) just in case a drive fails. Depending upon the cost (and potential loss), Ontrack can grabthe
stuff
remotely for you. Depends onwhat it's worth to your client. E-mail me off line for more info. I specialize in forensics. -----Original Message----- From: Greg Reber [mailto:greg.reber () astechconsulting com] Sent: Wednesday, October 02, 2002 9:16 PM To: Andrew Fison; incidents () securityfocus com Subject: RE: maybe a simple problem Andrew - if there is a suspicion that the client's machine has been compromised, they should stop using it and have you do some quick forensics. Back up files that they need, but not the whole HD. http://biatchux.dmzs.com/ is a great site for free forensics tools. -greg The information in this email is likely confidential and may be
legally
privileged. It is intended solely for the addressee. Access to this
by anyone else is unauthorized. If you are not the intended recipient,
any
disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. -----Original Message----- From: Andrew Fison [mailto:afison () brit-tex net] Sent: Wednesday, October 02, 2002 2:37 AM To: incidents () securityfocus com Subject: maybe a simple problem I have a client who believes that thier win98 pc has been hacked with
some
remote control software. They are pretty vague and not close buy so i cannot look at the machine all the time. I asked them to do netstat when they think they are being spied on but as yet they have not given me anything
useful.
I think there is reason to believe them as the owner is involed in a hostile boardroom take over of his company by some other entities, whilst this
is
legal, they have used other underhand methods against my customer
before
and they are trying to force him to sign over the business to them a
little
too swiftly. this all started when his wife was suing the pc, and a telescop came
on
the screen and then disapeared, since then the machine crashes, documents pertaing to the business have gone missing etc, any clues to what
this
telescope could be? yours andrew
------------------------------------------------------------------------ --
-- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------ --
-- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically
authorized
to receive the communication. If you are not the intended recipient, you
are
hereby notified that any dissemination, distribution or copying of
this
communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error
immediately,
do not read or use the communication in any manner, destroy all
copies,
and delete it from your system if the communication was sent via email. **********************************************************************
------------------------------------------------------------------------ --
-- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------ --
-- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: maybe a simple problem Brooke, O'neil (EXP) (Oct 02)
- <Possible follow-ups>
- Re: maybe a simple problem Michael Anuzis (Oct 03)
- RE: maybe a simple problem Robinson, Sonja (Oct 03)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Robinson, Sonja (Oct 04)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Clayton Hoskinson (Oct 05)
- RE: maybe a simple problem Jeff Peterson (Oct 05)
- RE: maybe a simple problem Hugo van der Kooij (Oct 05)
- Re: maybe a simple problem tabrams (Oct 05)
- RE: maybe a simple problem Rob Keown (Oct 05)