> Also on the point of copying files over the network > first, correct me if > I'm wrong but that damages the chain of evidence.
Now so? If one collects the necessary info (ie, MAC times, NTFS ADSs, permissions, full path, etc), hashes the file (MD5 and/or SHA-1), and then copies the file over the network using something like 'dd' or type, and netcat/cryptcat, how is the chain of evidence broken? Especially if it's documented? > Have a look at the > link below, goes about it a bit long winded but > essentially shows how to > clone a hard drive over a network connection. This > can be done with > Windows machines as DD and Netcat can be run from > floppy on a Windows machine. I'm not sure what you're getting at...first you make a reference to breaking the chain of evidence by copying a file, but then you talk about cloning an os over the network using dd and netcat. Wouldn't doing so also break your chain of evidence, if your reasoning is to hold? __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com
