lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: david.hayes at (David Hayes)
Subject: Reacting to a server compromise

Our old standby, "dd", is perfectly acceptable for making an image of
a hard drive to be used in court.  It's even the #1 choice of the FBI,
and accepted by U.S. federal courts.  From the trial court order on
admission of evidence in the case of Zacarias Moussaoui (the accused
20th hijacker of 9/11):


   The foundation of standby counsel's discovery requests regarding
   the computer and e-mail evidence rests upon their complaints
   regarding the "authentication" of the hard drives provided in
   discovery. "Authentication" in this context means the process of
   ensuring that the duplicate of the hard drive provided in discovery
   is an exact copy of what the FBI originally acquired. As FBI
   Supervisory Special Agent Dara Sewell explains in her attached
   affidavit, the FBI uses three different methods to duplicate or
   image a hard drive:

   (1) GNU/Linux routine dd command via Red Hat Linux 7.1 (hereafter
   "Linux dd");

   (2) Safeback version 2.18 imaging software by New Technologies
   (hereafter "Safeback");

   (3) Solitaire Forensics Kit, SFK-000A hand-held disk duplicator by
   Logicube, Inc.

David Hayes    Network Security Operations Center     MCI Network Svcs
email:      vnet: 777-7236     voice: 972-729-7236

Powered by blists - more mailing lists