[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BF4C5A09.8CB0%redleg18@gmail.com>
Date: Tue Sep 13 15:38:24 2005
From: redleg18 at gmail.com (Red Leg)
Subject: Re: Forensics help?
On 9/13/05 8:32 AM, "Paul Robertson" <compuwar@...il.com> wrote:
> On 9/12/05, Red Leg <redleg18@...il.com> wrote:
>> Hey Thanks!
>>
>> Can I use the copy made by dd for the analysis? Specifically... 1)I want to
>> go to the site, 2)copy the drive, 3)take the copy made back to my location,
>> 4) restore the data to another drive and mount it to an existing system and
>> then 5) forensically analyze the restored copy for deleted files.
>>
>> Can I use your directions to accomplish that?
>
> What do you mean by "forensically analyze?"
Actually, I meant that I wanted to use an unease program on the hard drive
to find erased files. Sorry about the confusion. Thank you and druid!
> dd may[0] make a copy
> that's good for forensic analysis, but depending on what's on the
> drive and how you mount it, you may alter things by mounting it. If
> you're not completely sure of what you're doing[1], you'll want to
> make a copy of your copy [so restoring to another drive *is* good] if
> you don't have a hardware write-blocker. You'll also want MD5s or
> other hashes of the original and the copies to verify that you've got
> the data. If there is a DCO or HPA then it may impact the value of
> the image depending on how you intend to use it and how it's acquired.
>
> if it's for something that may go to court (including as an unfair
> dismissal case,) you'll probably want to try to get someone who's done
> it before to do the analysis of the image, if not the imaging
> itself[2].
Amen! I haven't done this before. And, I wouldn't be doing this, if the data
was going to court.
> Also, you'll want to keep chain-of-custody documentation
> for the image and if necessary, the original. I tend to like to make
> an extra copy onsite and put that back into the system, keeping the
> original for evidentiary value.
Thanks. I really appreciate the advice!
It is very obvious that computer forensics is a separate discipline that
requires formal training and even some apprentice time.
>
> If you haven't done it before, practice on a similar target system and
> verify both your process and your tools end-to-end. Linux's
> "read-only" mounting of journaled filesystems is an example of why
> validation is necessary.
>
> Paul
> [0] dcfldd is better at drives with errors and will automatically checksum
> [1] Uncleanly shut down filesystems, journaling filesystems and fun
> things like that may impact your ability to mount the image read-only.
> [2] I have had folks do imaging in the past with tools I've provided,
> then had them FedEx me the image, but generally only if we think they
> won't need to testify.
> --
> www.compuwar.net
>
Thanks a lot!
I've got some studying to do!
Powered by blists - more mailing lists