The FBI loaded some software (by booting off a floppy) prior to allowing him to copy data off of the machine. He was told by the agents that the software made the disk read-only. He was observed by the agents duing the copy process. Is the FBI still operating like this?
Might be checksum monitoring software to determine whether given vectors of data representing security sensitive files are maintained. This way the FBI knows the person creating the image isn't also exploiting access to the raw disk. Yes, it is necessary, but it's usually implemented in a special imaging machine, IIRC.
However, I don't know of any instance where the software is on a boot disk. Besides, the software couldn't make the data on the disk read-only. That isn't how hard disks work. The only way image monitoring software can work is if the executive is loaded then the software is loaded. Then the image has to be created while the executive is loaded, which creates probability of the image changing during mirror.
Any SCSI or ATA can be altered during raw data access. Unless you're working with an optical WORM (et al) there is no way to make it read-only.
Besides, executives can't see all the data on a disk. So, an imager cannot work in co-operation with the executive. Check the security facilities of the ATA (I'm not sure if the T10 has implemented this?), you can create segments of an ATA that are hidden from any executive.
The ATA Technical Committee: http://www.t13.org/
The SCSI Technical Committee: http://www.t10.org/
Most government agencies should be using their specialized hardware unit that creates a raw image vector of one disk mirrored onto another. Your friend might be pulling your leg. Or, the FBI agents really *don't* know what they're doing.
Don
http://www.7f.no-ip.com/~north_
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
