lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: david.hayes at mci.com (David Hayes) Subject: Reacting to a server compromise Our old standby, "dd", is perfectly acceptable for making an image of a hard drive to be used in court. It's even the #1 choice of the FBI, and accepted by U.S. federal courts. From the trial court order on admission of evidence in the case of Zacarias Moussaoui (the accused 20th hijacker of 9/11): Authentication The foundation of standby counsel's discovery requests regarding the computer and e-mail evidence rests upon their complaints regarding the "authentication" of the hard drives provided in discovery. "Authentication" in this context means the process of ensuring that the duplicate of the hard drive provided in discovery is an exact copy of what the FBI originally acquired. As FBI Supervisory Special Agent Dara Sewell explains in her attached affidavit, the FBI uses three different methods to duplicate or image a hard drive: (1) GNU/Linux routine dd command via Red Hat Linux 7.1 (hereafter "Linux dd"); (2) Safeback version 2.18 imaging software by New Technologies (hereafter "Safeback"); (3) Solitaire Forensics Kit, SFK-000A hand-held disk duplicator by Logicube, Inc. http://notablecases.vaed.uscourts.gov/1:01-cr-00455/docs/68092/0.pdf -- David Hayes Network Security Operations Center MCI Network Svcs email: david.hayes@....com vnet: 777-7236 voice: 972-729-7236
Powered by blists - more mailing lists