lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue Sep 13 13:32:16 2005
From: compuwar at gmail.com (Paul Robertson)
Subject: Re: Forensics help?

On 9/12/05, Red Leg <redleg18@...il.com> wrote:
> Hey Thanks!
> 
> Can I use the copy made by dd for the analysis? Specifically... 1)I want to
> go to the site, 2)copy the drive, 3)take the copy made back to my location,
> 4) restore the data to another drive and mount it to an existing system and
> then 5) forensically analyze the restored copy for deleted files.
> 
> Can I use your directions to accomplish that?

What do you mean by "forensically analyze?"  dd may[0] make a copy
that's good for forensic analysis, but depending on what's on the
drive and how you mount it, you may alter things by mounting it.  If
you're not completely sure of what you're doing[1], you'll want to
make a copy of your copy [so restoring to another drive *is* good] if
you don't have a hardware write-blocker.  You'll also want MD5s or
other hashes of the original and the copies to verify that you've got
the data.  If there is a DCO or HPA then it may impact the value of
the image depending on how you intend to use it and how it's acquired.

if it's for something that may go to court (including as an unfair
dismissal case,) you'll probably want to try to get someone who's done
it before to do the analysis of the image, if not the imaging
itself[2]. Also, you'll want to keep chain-of-custody documentation
for the image and if necessary, the original.  I tend to like to make
an extra copy onsite and put that back into the system, keeping the
original for evidentiary value.

If you haven't done it before, practice on a similar target system and
verify both your process and your tools end-to-end.  Linux's
"read-only" mounting of journaled filesystems is an example of why
validation is necessary.
 
Paul
[0] dcfldd is better at drives with errors and will automatically checksum
[1] Uncleanly shut down filesystems, journaling filesystems and fun
things like that may impact your ability to mount the image read-only.
[2]  I have had folks do imaging in the past with tools I've provided,
then had them FedEx me the image, but generally only if we think they
won't need to testify.
--
www.compuwar.net

Powered by blists - more mailing lists