On 03/Aug/03 12:33 +1000, [EMAIL PROTECTED] wrote: > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote: > > > If this happens again, I would probably make a copy of the hard drive, > > or at the very least the log files since they can be entered as > > evidence of a hacked box. > > Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc > using standard hardware is completely inadmissible in court, as it is > impossible to make one without possibly compromising the integrity of the > evidence. The police etc use specialised hardware for making such copies, > which ensures that the disk can't have been altered.
Getting evidence by reading (via any software or hardware solution) may compromise the integrity of the evidence. I would like to know the difference between for example a (s)dd and the specialised hardware that you talk about ? Do you have any references ? Preserving the scene integrity is really difficult. You have to minimize the intrusion to the scene. On computer hardware is really difficult... Using a hardware device that doesn't change too much the scene is difficult... (think of a compromised disk firmware). And the worst, sometimes we see something that doesn't exist at all. Forensic analysis is the land of illusion... just my .02 EUR. adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov
pgp00000.pgp
Description: PGP signature
