lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Sep 13 15:38:24 2005
From: redleg18 at gmail.com (Red Leg)
Subject: Re: Forensics help?


On 9/13/05 8:32 AM, "Paul Robertson" <compuwar@...il.com> wrote:

> On 9/12/05, Red Leg <redleg18@...il.com> wrote:
>> Hey Thanks!
>> 
>> Can I use the copy made by dd for the analysis? Specifically... 1)I want to
>> go to the site, 2)copy the drive, 3)take the copy made back to my location,
>> 4) restore the data to another drive and mount it to an existing system and
>> then 5) forensically analyze the restored copy for deleted files.
>> 
>> Can I use your directions to accomplish that?
> 
> What do you mean by "forensically analyze?"

Actually, I meant that I wanted to use an unease program on the hard drive
to find erased files. Sorry about the confusion. Thank you and druid!

>  dd may[0] make a copy
> that's good for forensic analysis, but depending on what's on the
> drive and how you mount it, you may alter things by mounting it.  If
> you're not completely sure of what you're doing[1], you'll want to
> make a copy of your copy [so restoring to another drive *is* good] if
> you don't have a hardware write-blocker.  You'll also want MD5s or
> other hashes of the original and the copies to verify that you've got
> the data.  If there is a DCO or HPA then it may impact the value of
> the image depending on how you intend to use it and how it's acquired.
> 
> if it's for something that may go to court (including as an unfair
> dismissal case,) you'll probably want to try to get someone who's done
> it before to do the analysis of the image, if not the imaging
> itself[2].

Amen! I haven't done this before. And, I wouldn't be doing this, if the data
was going to court.


> Also, you'll want to keep chain-of-custody documentation
> for the image and if necessary, the original.  I tend to like to make
> an extra copy onsite and put that back into the system, keeping the
> original for evidentiary value.

Thanks. I really appreciate the advice!

It is very obvious that computer forensics is a separate discipline that
requires formal training and even some apprentice time.


> 
> If you haven't done it before, practice on a similar target system and
> verify both your process and your tools end-to-end.  Linux's
> "read-only" mounting of journaled filesystems is an example of why
> validation is necessary.
>  
> Paul
> [0] dcfldd is better at drives with errors and will automatically checksum
> [1] Uncleanly shut down filesystems, journaling filesystems and fun
> things like that may impact your ability to mount the image read-only.
> [2]  I have had folks do imaging in the past with tools I've provided,
> then had them FedEx me the image, but generally only if we think they
> won't need to testify.
> --
> www.compuwar.net
> 


Thanks a lot!

I've got some studying to do!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ