On 9/13/05 8:32 AM, "Paul Robertson" <[EMAIL PROTECTED]> wrote:
> On 9/12/05, Red Leg <[EMAIL PROTECTED]> wrote: >> Hey Thanks! >> >> Can I use the copy made by dd for the analysis? Specifically... 1)I want to >> go to the site, 2)copy the drive, 3)take the copy made back to my location, >> 4) restore the data to another drive and mount it to an existing system and >> then 5) forensically analyze the restored copy for deleted files. >> >> Can I use your directions to accomplish that? > > What do you mean by "forensically analyze?" Actually, I meant that I wanted to use an unease program on the hard drive to find erased files. Sorry about the confusion. Thank you and druid! > dd may[0] make a copy > that's good for forensic analysis, but depending on what's on the > drive and how you mount it, you may alter things by mounting it. If > you're not completely sure of what you're doing[1], you'll want to > make a copy of your copy [so restoring to another drive *is* good] if > you don't have a hardware write-blocker. You'll also want MD5s or > other hashes of the original and the copies to verify that you've got > the data. If there is a DCO or HPA then it may impact the value of > the image depending on how you intend to use it and how it's acquired. > > if it's for something that may go to court (including as an unfair > dismissal case,) you'll probably want to try to get someone who's done > it before to do the analysis of the image, if not the imaging > itself[2]. Amen! I haven't done this before. And, I wouldn't be doing this, if the data was going to court. > Also, you'll want to keep chain-of-custody documentation > for the image and if necessary, the original. I tend to like to make > an extra copy onsite and put that back into the system, keeping the > original for evidentiary value. Thanks. I really appreciate the advice! It is very obvious that computer forensics is a separate discipline that requires formal training and even some apprentice time. > > If you haven't done it before, practice on a similar target system and > verify both your process and your tools end-to-end. Linux's > "read-only" mounting of journaled filesystems is an example of why > validation is necessary. > > Paul > [0] dcfldd is better at drives with errors and will automatically checksum > [1] Uncleanly shut down filesystems, journaling filesystems and fun > things like that may impact your ability to mount the image read-only. > [2] I have had folks do imaging in the past with tools I've provided, > then had them FedEx me the image, but generally only if we think they > won't need to testify. > -- > www.compuwar.net > Thanks a lot! I've got some studying to do! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
