DD is not copying. Copying can change file properties as in MAC details on the new system or the destination. The MAC being changed is the problem. The original email I was answering didn't discuss documenting either or getting the MD5 signature. DD will give a bit by bit copy which will give the same MD5 signatures and is handy if the machine cannot be rebooted. The disk should be cloned before anything is done on the machine as in copying files or anything. The document I refered to gave a way of doing that and is accepted by law enforcement once you have the MD5 signature.
Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: H C [mailto:[EMAIL PROTECTED]] Sent: 18 February 2003 18:02 To: Trevor Cushen Cc: [EMAIL PROTECTED] Subject: RE: tools used to examine a computer > Also on the point of copying files over the network > first, correct me if > I'm wrong but that damages the chain of evidence. Now so? If one collects the necessary info (ie, MAC times, NTFS ADSs, permissions, full path, etc), hashes the file (MD5 and/or SHA-1), and then copies the file over the network using something like 'dd' or type, and netcat/cryptcat, how is the chain of evidence broken? Especially if it's documented? > Have a look at the > link below, goes about it a bit long winded but > essentially shows how to > clone a hard drive over a network connection. This > can be done with > Windows machines as DD and Netcat can be run from > floppy on a Windows machine. I'm not sure what you're getting at...first you make a reference to breaking the chain of evidence by copying a file, but then you talk about cloning an os over the network using dd and netcat. Wouldn't doing so also break your chain of evidence, if your reasoning is to hold? __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************************
