Yes, I meant the files were deleted but the data has not been overwritten
yet.
Just trying to illustrate a point that forensic toolkits may or may not be
well-defined, but there are very infosec groups that actually have a
well-defined process and procedure that does not taint the evidence and
also produced meaningful results. A firm doing this type of engagement
could charge lots of money for just disk dupping when the customer thinks
they are paying for real hard code forensic analysis. Not that it would
cross a firm's mind to do this, but it is quite possible if the tools are
not that clearly defined or the process. :)
Paul, you are absolutely correct about protecting chains of evidence (from
both protecting the evidence to actual translation of the evidence etc, etc)..
At 11:31 PM 9/15/00 +0200, mouss wrote:
>At 16:49 15/09/00 -0400, Paul D. Robertson wrote:
>>[snip]
>> > A software utility that would discovers all files on the subject system.
>> > This includes existing normal files, deleted yet remaining files, hidden
>> > files, password-protected files, and encrypted files.
>>
>>"Deleted yet remaining files" is a concept from DOS filesystems, and
>>doesn't translate well outside of that- remaing disk blocks from old files
>>is more accurate to modern filesystems.
>
>I guess he was meaning "files deleted but data is still physically on the
>disk". and this is not DOS specific. "rm" doesn't wipe the file
>(otherwise, it would
>be horribly long in the case of large files). So it is theoritically
>possible to retrieve
>"deleted" data, if it hasn't been destroyed by a later "write".
>
>note also that "modern filesystems" could be interpreted as a call for
>flame: winnt
>filesystem is a modern one!
>
>>[huge snip]
>
>
>
>regards,
>mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
