lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a9f81f40050912061631e1251b@mail.gmail.com>
Date: Mon Sep 12 14:16:41 2005
From: jjjwicks at gmail.com (James Wicks)
Subject: Forensic help?

Symantec Ghost was not presented as a means of getting a forensic duplicate. 
As stated in my first response, the Ghost image is to be added to the new 
drive and that drive is placed in the suspect desktop so that it can be 
placed back into production. That would leave the suspect drive available 
for any type of forensic investigation, whether it is done internally or 
sent out to another company. I normally do not want to leave a user without 
a desktop just because I need to investigate something. Since this is a case 
of data deletion/recovery and not an investigation of suspected 
torjan/rootkit, getting the system back into production using a Ghosted 
drive is (in my opinion) a business-practical course of action.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ghost will not give you a forensically sound image. Unless something
changes recently, Ghost won't image unallocated space, so you won't be able
to recover any deleted files. I'd recommend using the Helix Live CD at
http://www.e-fense.com/helix/, which based on Knoppix, but will never 
automatically mount any disks found, as Knoppix will.

It contains all the tools previously mentioned - dcfldd for imaging, which
you can pipe to netcat to create an image over the network. The Sleuthkit
for analysis, which is basically just a front-end to other tools also
included. However, the learning curve can bit a bit steep.

-----Original Message-----
From: Red Leg [mailto:redleg18@...il.com]
Sent: Sunday, September 11, 2005 8:37 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Forensic help?


On 9/11/05 6:33 PM, "Red Leg" <redleg18@...il.com> wrote:

> Hi all.
> 
> I was wondering if anyone knows of a program/system that I can 
> purchase,
as
> a private individual, that will allow me to
> 
> 1) mirror a hard drive on location and
> 
> 2) take that mirror and restore it to another drive. And
> 
> 3) Find any CONVENTIONALLY erased files?
> 
> -- This would be either a Windows NTFS or FAT32 drive.


Wow!

Thanks all. I really appreciate the education!

I wish that I could keep the target drive, and change it out. However, this 
is a Freedom of Information Act issue. I don't think they'll let me keep the 
original/target.


I knew about Drive Image, but I didn't know it or Symantec Ghost would be 
able to get the erased data (as in using the "Delete Key" or right click 
delete).

Thanks!
Redleg18


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-------------------------------------------------------------------------------
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s). 
The information contained herein may include trade secrets or privileged or 
otherwise confidential information. Unauthorized review, forwarding, 
printing, copying, distributing, or using such information is strictly 
prohibited and may be unlawful. If you received this message in error, or 
have reason to believe you are not authorized to receive it, please promptly 
delete this message and notify the sender by e-mail with a copy to 
Central.SecurityOffice@....siemens.com 

Thank you
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050912/e4c5894d/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ