I need some technical assistance resulting from (supposed) forensic
tests made on a computer. Is it possible to search a hard drive without
turning it on and finding a particular sentence or phrase written in
whatever language or program?
What would be involved in say a 400Mb hard drive?
Thanks
"thedarkman"
news:1144548975.384597.155130@z34g2000cwc.googlegroups.com.. .
> I need some technical assistance resulting from (supposed) forensic
> tests made on a computer. Is it possible to search a hard drive without
> turning it on and finding a particular sentence or phrase written in
> whatever language or program?
>
> What would be involved in say a 400Mb hard drive?
They clone the disk without booting up the PC, as this would change the
disk, and it would be invalid as eveidence. Then they work from the cloned
disk. Yes, it is possible to search for a sentence or phrase, but they do
turn on their computer with the cloned disk in. The original just sits in
storage, so if they need to clone the disk again they can.
Marcus
Marcus
Marcus Fox wrote:
> They clone the disk without booting up the PC, as this would change the
> disk, and it would be invalid as eveidence. Then they work from the cloned
> disk. Yes, it is possible to search for a sentence or phrase, but they do
> turn on their computer with the cloned disk in. The original just sits in
> storage, so if they need to clone the disk again they can.
>
They remove the disk from the usual computer and connect it to another
computer via some circuitry which blocks any 'writes' to the disk. The
circuitry is needed as the operating system writes 'last access' times even
though it is apparently reading files only.
There is another way. Plug the receiving disk into a USB port and boot up
from a Linux CD which supports USB. You can use the 'dd' command to clone
the HD inside the computer to the one connected via USB without risk of
disturbing the original HD (unless you are downright careless).
Remember that 'deleted' files are generally not fully deleted. A forensics
guru will very often strike it lucky and recover stuff (eg kiddie porn
photos) which was 'deleted' or an E-mail such as 'I do not care how you do
it - fire the bitch' - in that case the 'bitch' got a significant
settlement fro wrongful dismissal.
Peter wrote:
> They remove the disk from the usual computer and connect it to
> another computer via some circuitry which blocks any 'writes' to the
> disk.
The circuitry is simply cutting wire #28 for IDE drives, for SCSI you've
got an actual controller command.
> The circuitry is needed as the operating system writes 'last access'
> times even though it is apparently reading files only.
Unix systems trivially allow mounting filesystems as read-only. And
normally they won't clone the disk directly to another disk, but write
it into a read-only file which is then mounted.
thedarkman
> Is it possible to search a hard drive without
> turning it on
What do you mean with "without turning it on"?
> and finding a particular sentence or phrase written in
> whatever language or program?
Yes.
> What would be involved in say a 400Mb hard drive?
strings < $HARDDRIVE_DEVICE | grep "$SENTENCE"
Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain
thedarkman wrote:
> I need some technical assistance resulting from (supposed) forensic
> tests made on a computer. Is it possible to search a hard drive without
> turning it on and finding a particular sentence or phrase written in
> whatever language or program?
>
> What would be involved in say a 400Mb hard drive?
>
> Thanks
>
Was this where the computer was taken away and tested by people that
know what they are doing - or a pop-up on a dodgy web site telling you
that it has scanned your computer?
Also you can not read a disc without applying power to it. No power and
the disc will not spin. However as said by others, you can check the
disc without turning on the original computer, simply by connecting the
disc to a 'checking' computer. So not sure what you really mean above.
> Also you can not read a disc without applying power to it. No power and
> the disc will not spin.
I saw a recent article where it *was* possible to read the data off a
drive without powering it up - sure, you have to disassemble it and
throw it under a high powered scanning microscope of some sort, but it
can be done.
On 8 Apr 2006 19:16:15 -0700, "thedarkman"
>I need some technical assistance resulting from (supposed) forensic
>tests made on a computer. Is it possible to search a hard drive without
>turning it on and finding a particular sentence or phrase written in
>whatever language or program?
>
>What would be involved in say a 400Mb hard drive?
The way the forensic is meant to be done is:
1) Remove the HDD from the PC. Connect it to an "imaging" device.
That device will copy the raw contents of the HDD to another medium.
2) Perform a sector-search on the copy of the HDD for the data in
question. Which is a trivial task for forensic software.
3) If it is to be used in evidence in a legal case, do a more detailed
analysis on the copy in order to find the context of the phrases
discovered.
The original HDD is sealed and not powered up after the copy has been
made.
--
Cynic
In uk.legal Colin Wilson
>> Also you can not read a disc without applying power to it. No power and
>> the disc will not spin.
>
> I saw a recent article where it *was* possible to read the data off a
> drive without powering it up - sure, you have to disassemble it and
> throw it under a high powered scanning microscope of some sort, but it
> can be done.
Some drives report powerups/downs, and total hours on. Getting round this
will usually require help from the manufacturer.
Colin Wilson wrote:
>> Also you can not read a disc without applying power to it. No power and
>> the disc will not spin.
>
> I saw a recent article where it *was* possible to read the data off a
> drive without powering it up - sure, you have to disassemble it and
> throw it under a high powered scanning microscope of some sort, but it
> can be done.
The common method is to use a laser with rotating plates.
Colin Wilson
>> Also you can not read a disc without applying power to it. No power and
>> the disc will not spin.
>I saw a recent article where it *was* possible to read the data off a
>drive without powering it up - sure, you have to disassemble it and
>throw it under a high powered scanning microscope of some sort, but it
>can be done.
That would be a totally idiotic thing to do for data which is in a standard
encoding on the disk. You can read maybe one byte a second with an STM.
which would leave you a while to read the whole thing, when turning it on
would allow you to search the disk in minutes. "What would it take to clean
all fo the buildings in New York with a toothbrush?"
Unruh wrote:
> Colin Wilson
>
>>> Also you can not read a disc without applying power to it. No power and
>>> the disc will not spin.
>
>>I saw a recent article where it *was* possible to read the data off a
>>drive without powering it up - sure, you have to disassemble it and
>>throw it under a high powered scanning microscope of some sort, but it
>>can be done.
>
> That would be a totally idiotic thing to do for data which is in a
> standard encoding on the disk. You can read maybe one byte a second with
> an STM. which would leave you a while to read the whole thing, when
> turning it on would allow you to search the disk in minutes. "What would
> it take to clean all fo the buildings in New York with a toothbrush?"
It all depends on highly motivated the police or forensic examiners are. It
all depends on the nature of the investigation - a porn case would not
warrant very much effort while a homicide could warrant a very thorough
effort if the evidence is likely to be critical. It is possible but I do
not know how feasible to examine the edges of the tracks for traces of
previously written data. Careful examination may also find fragments of
old data at ends of re-used clusters, etc.
"Peter"
news:44396ff3@clear.net.nz...
> Unruh wrote:
>
>> Colin Wilson
>>
>>>> Also you can not read a disc without applying power to it. No power
>>>> and
>>>> the disc will not spin.
>>
>>>I saw a recent article where it *was* possible to read the data off a
>>>drive without powering it up - sure, you have to disassemble it and
>>>throw it under a high powered scanning microscope of some sort, but it
>>>can be done.
>>
>> That would be a totally idiotic thing to do for data which is in a
>> standard encoding on the disk. You can read maybe one byte a second with
>> an STM. which would leave you a while to read the whole thing, when
>> turning it on would allow you to search the disk in minutes. "What would
>> it take to clean all fo the buildings in New York with a toothbrush?"
>
> It all depends on highly motivated the police or forensic examiners are.
> It
> all depends on the nature of the investigation - a porn case would not
> warrant very much effort while a homicide could warrant a very thorough
> effort if the evidence is likely to be critical. It is possible but I do
> not know how feasible to examine the edges of the tracks for traces of
> previously written data. Careful examination may also find fragments of
> old data at ends of re-used clusters, etc.
If it's a Law Enforcement Agency you can bet they're going to be using
EnCase and if so, all they need to do is image the hdd, then examine the
image that's been acquired. As for how they'll image the hdd, they can do
so by means of a bootdisk, parallel cable, network cable, etc. All capable
without removing the drive from the system. Of course each of these methods
has its pro's and con's, but there's no need to remove the source hdd from
the system in question.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
Peter
>Unruh wrote:
>> Colin Wilson
>>
>>>> Also you can not read a disc without applying power to it. No power and
>>>> the disc will not spin.
>>
>>>I saw a recent article where it *was* possible to read the data off a
>>>drive without powering it up - sure, you have to disassemble it and
>>>throw it under a high powered scanning microscope of some sort, but it
>>>can be done.
>>
>> That would be a totally idiotic thing to do for data which is in a
>> standard encoding on the disk. You can read maybe one byte a second with
>> an STM. which would leave you a while to read the whole thing, when
>> turning it on would allow you to search the disk in minutes. "What would
>> it take to clean all fo the buildings in New York with a toothbrush?"
>It all depends on highly motivated the police or forensic examiners are. It
>all depends on the nature of the investigation - a porn case would not
>warrant very much effort while a homicide could warrant a very thorough
>effort if the evidence is likely to be critical. It is possible but I do
>not know how feasible to examine the edges of the tracks for traces of
>previously written data. Careful examination may also find fragments of
>old data at ends of re-used clusters, etc.
IF you can read the data off the disk by running the disk, you run the
disk.
Only if there has been an attempt to securely erase the disk would it be
useful to go to greater lengths. No matter what the case, you do the easy
things first.
Thanks for all the replies, I'd better be a bit more specific. In 1993
the police seized my computer after a malicious allegation of fraud.
They held onto it for six months and when it was returned it was
busted. I sued but settled out of court for two grand.
In 1998, they seized another one after a bizarre allegation. They
claimed to have "found" some evidence on it that I'd sent a letter or
something - a deleted file - charged me with harassment then amended
the charge to "inciting a person or persons unknown to commit grievous
bodily harm with intent" obviously trying to intimidate me. When that
didn't work, they dropped the case at the court door.
I got that machine back intact after about 8 months.
Then in October 2001 they seized two machines, again claiming that I'd
sent some deranged bitch a threatening letter - another one. When they
showed me the evidence I recognised the handiwork but kept schtumm for
reasons I can't go into here, surfice it to say that it was someone
trying to cause me grief. At some point they said I could have my
machines back. Wary of the 2003 experience I said that I would not take
possession of either machine until I'd been able to test them both in
situ, ie at a police station, as I'd done in the 1998 seizure. The
arresting officer went to considerable lengths to return the machines
by artifice including bringing them to a local police station where I
refused to take possession when I was told there was no facility for
testing them. Eventually I managed to test them both at Islington
Police Station, and surprise surprise, one was not working, and that
after my being given assurances that they both were. I took the intact
machine away but left the other one there; they refused to give me any
documentation to the effect that it was not working
It is my belief that the machine I left behind was damaged wilfully. I
am also of the belief that it was totally unnecessary for them to seize
either machine. When they raided my flat they also seized every floppy
disk they could lay their hands on and dozens of CDs.
>From what one person here has said they have a copy of the hard drives.
Can I make them destroy those? Also, I am not clear about this. Could
they find say the sentence:
"Dear Mr Smith" anywhere on the machine? What about encrypted files?
They gave no indication that they had found anything; if they had
indeed searched the machines they would have found related material on
which I would have expected them to question me - but which was totally
legitimate. For example, I had some scans of confidential government
documents which should have rung alarm bells but which had actually
been sent to me by the Home Office a few years ago when I was
investigating something.
I'm suing them and they are defending all the way. I want to get as
much money out of them as possible and cause them maximum
embarrassment; for one thing they know the identity of the actual
offender but have been covering it up, for reasons I won't go into.
Sorry if this is very long winded but I wanted to make myself clear.
On 10 Apr 2006 01:29:05 -0700, "thedarkman"
>From what one person here has said they have a copy of the hard drives.
>Can I make them destroy those?
I don't know whther you could get such an Order made, but even if you
did, there is no way for you to verify that all copies have in fact
been destroyed.
> Also, I am not clear about this. Could
>they find say the sentence:
>
>"Dear Mr Smith" anywhere on the machine?
Yes, *very* easily. A sector search on *multiple* phrases takes about
15 seconds per GB on my PC. Try it yourself - just download a copy of
"WinHex".
>What about encrypted files?
What about them? The police cannot "crack" any reasonable encryption,
but might try a dictionary attack in case you have not used a
particularly good password. That's if they actually identify
encrypted data - which would depend upon (1) the program you used to
encrypt (does it create recognisable files?) and (2) whether the
police actually decide to search for encrypted data. The presence of
an encryption application could be used as evidence in a trial that
you were hiding data.
--
Cynic
In uk.legal Don Kelloway
> If it's a Law Enforcement Agency you can bet they're going to be using
> EnCase and if so, all they need to do is image the hdd, then examine the
> image that's been acquired. As for how they'll image the hdd, they can do
> so by means of a bootdisk, parallel cable, network cable, etc. All capable
> without removing the drive from the system. Of course each of these methods
> has its pro's and con's, but there's no need to remove the source hdd from
> the system in question.
It depends.
Many systems cannot be convinced to do other than boot off their
selected media, without removing the disk.
In this case you do need to remove the disk.
On Mon, 10 Apr 2006 08:36:29 +1200, Peter
wrote:
>It all depends on highly motivated the police or forensic examiners are. It
>all depends on the nature of the investigation - a porn case would not
>warrant very much effort while a homicide could warrant a very thorough
>effort if the evidence is likely to be critical. It is possible but I do
>not know how feasible to examine the edges of the tracks for traces of
>previously written data. Careful examination may also find fragments of
>old data at ends of re-used clusters, etc.
It would have to be a matter of national security before a physical
disk analysis was done (looking at track bleed etc.) I would very
much doubt that such evidence could be used in a criminal trial anyway
- its use would be purely investigative. It is hugely expensive and
time consuming.
As for the rest, as you say, it would depend upon the nature of the
case. If the police were, for example, wanting to find evidence of a
specific letter or email (a ransom demand perhaps), then the only
thing they would do would be a raw sector search for some unique
phrases in the letter. If that is negative, there is no point in
using any other techniques, because it proves conclusively that the
letter is not anywhere on the HDD. If searching for pornography, then
maybe a raw sector search for JPG headers in conjunction with a
standard file system search for "live" media files. Such searches can
be done by relatively unskilled people, and they are fast and cheap.
If the sector search is positive, then the suspect may be confronted
with the evidence and perhaps will confess. If no confession, then
the next stage is the expensive and time-consuming task of using a
forensic expert to analyse the context of the discovered material in
order to produce probative evidence for Court.
--
Cynic
"thedarkman"
news:1144657745.907117.156220@t31g2000cwb.googlegroups.com.. .
> Thanks for all the replies, I'd better be a bit more specific. In 1993
> the police seized my computer after a malicious allegation of fraud.
> They held onto it for six months and when it was returned it was
> busted. I sued but settled out of court for two grand.
>
> In 1998, they seized another one after a bizarre allegation. They
> claimed to have "found" some evidence on it that I'd sent a letter or
> something - a deleted file - charged me with harassment then amended
> the charge to "inciting a person or persons unknown to commit grievous
> bodily harm with intent" obviously trying to intimidate me. When that
> didn't work, they dropped the case at the court door.
>
> I got that machine back intact after about 8 months.
>
> Then in October 2001 they seized two machines, again claiming that I'd
> sent some deranged bitch a threatening letter - another one. When they
> showed me the evidence I recognised the handiwork but kept schtumm for
> reasons I can't go into here, surfice it to say that it was someone
> trying to cause me grief. At some point they said I could have my
> machines back. Wary of the 2003 experience I said that I would not take
> possession of either machine until I'd been able to test them both in
> situ, ie at a police station, as I'd done in the 1998 seizure. The
> arresting officer went to considerable lengths to return the machines
> by artifice including bringing them to a local police station where I
> refused to take possession when I was told there was no facility for
> testing them. Eventually I managed to test them both at Islington
> Police Station, and surprise surprise, one was not working, and that
> after my being given assurances that they both were. I took the intact
> machine away but left the other one there; they refused to give me any
> documentation to the effect that it was not working
>
> It is my belief that the machine I left behind was damaged wilfully. I
> am also of the belief that it was totally unnecessary for them to seize
> either machine. When they raided my flat they also seized every floppy
> disk they could lay their hands on and dozens of CDs.
>
>>From what one person here has said they have a copy of the hard drives.
> Can I make them destroy those? Also, I am not clear about this. Could
> they find say the sentence:
>
> "Dear Mr Smith" anywhere on the machine? What about encrypted files?
>
> They gave no indication that they had found anything; if they had
> indeed searched the machines they would have found related material on
> which I would have expected them to question me - but which was totally
> legitimate. For example, I had some scans of confidential government
> documents which should have rung alarm bells but which had actually
> been sent to me by the Home Office a few years ago when I was
> investigating something.
>
> I'm suing them and they are defending all the way. I want to get as
> much money out of them as possible and cause them maximum
> embarrassment; for one thing they know the identity of the actual
> offender but have been covering it up, for reasons I won't go into.
>
> Sorry if this is very long winded but I wanted to make myself clear.
>
Unfortunately I am not familiar with the laws in the U.K. other than you're
considered 'guilty until proven innocent'. ;
As for making the police destroy or return the imaged hdd's (assuming they
had made images) I suspect you cannot make them do that.
As for searching an acquired image for the words/phrase 'Dear Mr Smith' -
Yes. This is very easily accomplished, including the contents of most
encrypted files. However be aware that most files (documents, etc.) are
written in the clear before being made encrypted. And what is written in
the clear is often stored in various tmp files, etc. that can later be
recovered.
In closing you should learn what their method and softer has been in
performing their forensic analysis.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
"Ian Stirling"
news:443a48a5$0$33895$ed2619ec@ptn-nntp-reader03.plus.net...
> In uk.legal Don Kelloway
>
>> If it's a Law Enforcement Agency you can bet they're going to be using
>> EnCase and if so, all they need to do is image the hdd, then examine the
>> image that's been acquired. As for how they'll image the hdd, they can
>> do
>> so by means of a bootdisk, parallel cable, network cable, etc. All
>> capable
>> without removing the drive from the system. Of course each of these
>> methods
>> has its pro's and con's, but there's no need to remove the source hdd
>> from
>> the system in question.
>
> It depends.
> Many systems cannot be convinced to do other than boot off their
> selected media, without removing the disk.
> In this case you do need to remove the disk.
If the source hdd is already live, a parallel or network cable can be used
to perform a live preview or acquire an image without sacrificing the
evidence.
If the source hdd is powered down and if there's no FDD or CDROM in the
system, then yes. You are correct. One would have to physically disconnect
the hdd cable and connect it to forensic system to perform the acquisition.
Of course if there is a FDD or CDROM and if the BIOS can be accessed,
booting off the FDD or CDROM (assuming it support El Torito) is preferred
when you can't physically access the source hdd.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
On Mon, 10 Apr 2006 13:05:13 GMT, "Don Kelloway"
wrote:
>If the source hdd is powered down and if there's no FDD or CDROM in the
>system, then yes. You are correct. One would have to physically disconnect
>the hdd cable and connect it to forensic system to perform the acquisition.
>Of course if there is a FDD or CDROM and if the BIOS can be accessed,
>booting off the FDD or CDROM (assuming it support El Torito) is preferred
>when you can't physically access the source hdd.
Foolish to do so if the evidence is to be used in a criminal case.
The investigator has no way of knowing whether the FDD or CD drive is
working. The system might be powered up, only to find that it cannot
"see" the removable boot media and so it boots from its HDD. Which
would significantly affect the admissibility of any evidence obtained
because the boot process usually alters the contents of the HDD.
--
Cynic
In uk.legal Don Kelloway
> "Ian Stirling"
>> It depends.
>> Many systems cannot be convinced to do other than boot off their
>> selected media, without removing the disk.
>> In this case you do need to remove the disk.
>
>
> If the source hdd is already live, a parallel or network cable can be used
> to perform a live preview or acquire an image without sacrificing the
> evidence.
'live' ?
If you mean the system is powered on, then no way.
At the least, you're loading extra software onto the disk, at most,
screwing with file access dates, or allowing already resident intrusion
detection software to wipe the disk.
> If the source hdd is powered down and if there's no FDD or CDROM in the
> system, then yes. You are correct. One would have to physically disconnect
> the hdd cable and connect it to forensic system to perform the acquisition.
> Of course if there is a FDD or CDROM and if the BIOS can be accessed,
> booting off the FDD or CDROM (assuming it support El Torito) is preferred
> when you can't physically access the source hdd.
In nearly all cases, you'd want to pull it first.
Do you know the password?
Do you know it's using a standard BIOS for motherboard foo?
I wonder how crackable HD passwords are too.
"Cynic"
news:muok32t0knlcj4col78lhdoq3qkk5qhf49@4ax.com...
> On Mon, 10 Apr 2006 13:05:13 GMT, "Don Kelloway"
> wrote:
>
>>If the source hdd is powered down and if there's no FDD or CDROM in the
>>system, then yes. You are correct. One would have to physically
>>disconnect
>>the hdd cable and connect it to forensic system to perform the
>>acquisition.
>>Of course if there is a FDD or CDROM and if the BIOS can be accessed,
>>booting off the FDD or CDROM (assuming it support El Torito) is preferred
>>when you can't physically access the source hdd.
>
> Foolish to do so if the evidence is to be used in a criminal case.
> The investigator has no way of knowing whether the FDD or CD drive is
> working. The system might be powered up, only to find that it cannot
> "see" the removable boot media and so it boots from its HDD. Which
> would significantly affect the admissibility of any evidence obtained
> because the boot process usually alters the contents of the HDD.
>
> --
> Cynic
>
While true one of the preferred methods would be to connect the source hdd
to a storage computer and acquire the source hdd through the use of a
bootdisk (another would be to acquire the source hdd via FastBlock device).
An alternative approach is that you can acquire the source hdd by attaching
a target hdd to the source computer and perform the acquisition.
In summary, disconnect the source hdd(s), boot to BIOS, verify the boot
sequence (if necessary change it), boot to confirm functionality. Once
confirmed, power down, connect source hdd, connect target hdd, boot up, and
acquire the source hdd to the target hdd. And yes, this approach can be
accomplished without jeopardizing the evidence and may sometimes be
necessary when you can't remove the source hdd from the system.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
On Mon, 10 Apr 2006 19:58:13 GMT, "Don Kelloway"
wrote:
>While true one of the preferred methods would be to connect the source hdd
>to a storage computer and acquire the source hdd through the use of a
>bootdisk (another would be to acquire the source hdd via FastBlock device).
>An alternative approach is that you can acquire the source hdd by attaching
>a target hdd to the source computer and perform the acquisition.
It is *far* better not to power the evidential hardware at all. Who
knows what a clever criminal may have done? It is not that difficult
for a competant assembler programmer to modify the BIOS so that it
will detect that a bulk HDD copy is taking place and branch off to
execute a routine that wipes all the data instead of copying it. Or a
BIOS that will wipe the HDD if it does not receive an unprompted key
sequence or detect a USB hardware key at BIOS boot time.
>In summary, disconnect the source hdd(s), boot to BIOS, verify the boot
>sequence (if necessary change it), boot to confirm functionality. Once
>confirmed, power down, connect source hdd, connect target hdd, boot up, and
>acquire the source hdd to the target hdd. And yes, this approach can be
>accomplished without jeopardizing the evidence and may sometimes be
>necessary when you can't remove the source hdd from the system.
If you can get to the HDD to disconect it, it is unlikely that you
could not connect an IDE or SCSI cable to it and extract the data from
a forensic machine. This has the advantage that the forensic device
is cabled so that writes to the evidential HDD are not possible,
making it impossible to argue that some anomaly in the acquisition
software caused data to be written to the drive whilst it was being
imaged.
It also preserves the CMOS memory in the evidential machine, which
could be important.
Plus, it entails a direct sector copy from the evidential drive to a
clean forensic drive via IDE or SCSI - which is likely to be faster
than going through intermediate interfaces.
--
Cynic
"Cynic"
news:sffl3292p3kq5lhdls7slvrdhi19enc8ci@4ax.com...
> On Mon, 10 Apr 2006 19:58:13 GMT, "Don Kelloway"
> wrote:
>
>>While true one of the preferred methods would be to connect the source hdd
>>to a storage computer and acquire the source hdd through the use of a
>>bootdisk (another would be to acquire the source hdd via FastBlock
>>device).
>>An alternative approach is that you can acquire the source hdd by
>>attaching
>>a target hdd to the source computer and perform the acquisition.
>
> It is *far* better not to power the evidential hardware at all. Who
> knows what a clever criminal may have done? It is not that difficult
> for a competant assembler programmer to modify the BIOS so that it
> will detect that a bulk HDD copy is taking place and branch off to
> execute a routine that wipes all the data instead of copying it. Or a
> BIOS that will wipe the HDD if it does not receive an unprompted key
> sequence or detect a USB hardware key at BIOS boot time.
>
>>In summary, disconnect the source hdd(s), boot to BIOS, verify the boot
>>sequence (if necessary change it), boot to confirm functionality. Once
>>confirmed, power down, connect source hdd, connect target hdd, boot up,
>>and
>>acquire the source hdd to the target hdd. And yes, this approach can be
>>accomplished without jeopardizing the evidence and may sometimes be
>>necessary when you can't remove the source hdd from the system.
>
> If you can get to the HDD to disconect it, it is unlikely that you
> could not connect an IDE or SCSI cable to it and extract the data from
> a forensic machine. This has the advantage that the forensic device
> is cabled so that writes to the evidential HDD are not possible,
> making it impossible to argue that some anomaly in the acquisition
> software caused data to be written to the drive whilst it was being
> imaged.
>
> It also preserves the CMOS memory in the evidential machine, which
> could be important.
>
> Plus, it entails a direct sector copy from the evidential drive to a
> clean forensic drive via IDE or SCSI - which is likely to be faster
> than going through intermediate interfaces.
>
> --
> Cynic
>
I stated the preferred method is to remove the source hdd and attach it to a
forensic system. I believe I also stated that there are times when the
drive cannot be powered down or removed. It is in those instances an
alternative method of acquiring the source hdd or previewing the data on the
source hdd must be possible. For the latter there are several methods
available, depending upon the circumstances presented.
Out of curiosity do you have any experience with performing forensics? Have
you used EnCase, FTK, or XWays Forensics?
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
On Mon, 10 Apr 2006 22:15:32 GMT, "Don Kelloway"
wrote:
>I stated the preferred method is to remove the source hdd and attach it to a
>forensic system. I believe I also stated that there are times when the
>drive cannot be powered down or removed. It is in those instances an
>alternative method of acquiring the source hdd or previewing the data on the
>source hdd must be possible. For the latter there are several methods
>available, depending upon the circumstances presented.
>
>Out of curiosity do you have any experience with performing forensics? Have
>you used EnCase, FTK, or XWays Forensics?
No, I am a computer professional with an interest in the subject, and
also conversant with low level aspects of file sytems and HDD storage.
I have looked at EnCase but not used it in anger.
--
Cynic
"Cynic"
news:biqm3299e4loro9q8sjs4odtmi8fbn92f1@4ax.com...
> On Mon, 10 Apr 2006 22:15:32 GMT, "Don Kelloway"
> wrote:
>
>>I stated the preferred method is to remove the source hdd and attach it to
>>a
>>forensic system. I believe I also stated that there are times when the
>>drive cannot be powered down or removed. It is in those instances an
>>alternative method of acquiring the source hdd or previewing the data on
>>the
>>source hdd must be possible. For the latter there are several methods
>>available, depending upon the circumstances presented.
>>
>>Out of curiosity do you have any experience with performing forensics?
>>Have
>>you used EnCase, FTK, or XWays Forensics?
>
> No, I am a computer professional with an interest in the subject, and
> also conversant with low level aspects of file sytems and HDD storage.
> I have looked at EnCase but not used it in anger.
>
> --
> Cynic
>
My company is the licensed owner of the three products mentioned and I've
personally had forensic training with using EnCase v4/v5. If you ever need
to have a task performed feel free to contact me. Though I am familiar with
all aspects of investigation I like to specialize in the data recovery of
iPods because music files can be expensive to lose.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
On Tue, 11 Apr 2006 12:01:48 GMT, "Don Kelloway"
wrote:
>My company is the licensed owner of the three products mentioned and I've
>personally had forensic training with using EnCase v4/v5. If you ever need
>to have a task performed feel free to contact me. Though I am familiar with
>all aspects of investigation I like to specialize in the data recovery of
>iPods because music files can be expensive to lose.
Are you being serious? I should think music files would be trivial to
replace in almost all cases.
--
Cynic
"Cynic"
news:pg7n325ch3iuf1kd2lt0ie9cv0rlhgjn7q@4ax.com...
> On Tue, 11 Apr 2006 12:01:48 GMT, "Don Kelloway"
> wrote:
>
>>My company is the licensed owner of the three products mentioned and I've
>>personally had forensic training with using EnCase v4/v5. If you ever
>>need
>>to have a task performed feel free to contact me. Though I am familiar
>>with
>>all aspects of investigation I like to specialize in the data recovery of
>>iPods because music files can be expensive to lose.
>
> Are you being serious? I should think music files would be trivial to
> replace in almost all cases.
Not in my experience with iTunes...
In uk.legal Cynic
>>What about encrypted files?
> What about them? The police cannot "crack" any reasonable encryption,
> but might try a dictionary attack in case you have not used a
> particularly good password. That's if they actually identify
> encrypted data - which would depend upon (1) the program you used to
> encrypt (does it create recognisable files?) and (2) whether the
> police actually decide to search for encrypted data. The presence of
> an encryption application could be used as evidence in a trial that
> you were hiding data.
Hmmm... that would make everyone running MACOSX 10.4 suspicious as
an encryption option for a user's entire home directory is available
as a standard part of the OS as is a secure 'empty trash' (i.e. delete).
Axel
On Tue, 11 Apr 2006 12:24:40 GMT, axel@white-eagle.invalid.uk wrote:
>Hmmm... that would make everyone running MACOSX 10.4 suspicious as
>an encryption option for a user's entire home directory is available
>as a standard part of the OS as is a secure 'empty trash' (i.e. delete).
It would only make it suspicious if the defendant was doing something
that was considered to be unusual. If encryption software is bundled
with the OS, it would not be suspicious if it were found on the PC.
Just as sending a letter in an envelope instead of on a postcard is
not seen as an indication that the sender was trying to hide the
communication.
Still, without any *other* evidence that there is anything illegal on
the PC, people can be as suspicious as they like AFAIAC.
I would not trust encryption that comes with an OS unless it was open
source. Far too likely to have a deliberate back-door built in IMO.
--
Cynic
On Tue, 11 Apr 2006 13:22:16 +0100, "Richard Parkin"
>>>My company is the licensed owner of the three products mentioned and I've
>>>personally had forensic training with using EnCase v4/v5. If you ever
>>>need
>>>to have a task performed feel free to contact me. Though I am familiar
>>>with
>>>all aspects of investigation I like to specialize in the data recovery of
>>>iPods because music files can be expensive to lose.
>> Are you being serious? I should think music files would be trivial to
>> replace in almost all cases.
>Not in my experience with iTunes...
Surely you simply download a new copy from LimeWire?
--
Cynic
"Cynic"
news:gf8n32tuobifk53dr7d0gho1j9rbtlihuo@4ax.com...
> On Tue, 11 Apr 2006 13:22:16 +0100, "Richard Parkin"
>
>>>>My company is the licensed owner of the three products mentioned and
>>>>I've
>>>>personally had forensic training with using EnCase v4/v5. If you ever
>>>>need
>>>>to have a task performed feel free to contact me. Though I am familiar
>>>>with
>>>>all aspects of investigation I like to specialize in the data recovery
>>>>of
>>>>iPods because music files can be expensive to lose.
>
>>> Are you being serious? I should think music files would be trivial to
>>> replace in almost all cases.
>
>>Not in my experience with iTunes...
>
> Surely you simply download a new copy from LimeWire?
If I did that sort of thing I wouldnt be legally purchasing songs from
iTunes in the first place.
Also, many of the tracks on LimeWare seem to be quite bad quality. I am
told...
"Cynic"
news:pg7n325ch3iuf1kd2lt0ie9cv0rlhgjn7q@4ax.com...
> On Tue, 11 Apr 2006 12:01:48 GMT, "Don Kelloway"
> wrote:
>
>>My company is the licensed owner of the three products mentioned and I've
>>personally had forensic training with using EnCase v4/v5. If you ever
>>need
>>to have a task performed feel free to contact me. Though I am familiar
>>with
>>all aspects of investigation I like to specialize in the data recovery of
>>iPods because music files can be expensive to lose.
>
> Are you being serious? I should think music files would be trivial to
> replace in almost all cases.
>
> --
> Cynic
>
As another poster in the thread has offered, it is some instances they are
not easily replaceable. Such is true with iTunes.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
On Tue, 11 Apr 2006 13:40:52 +0100, "Richard Parkin"
>>>Not in my experience with iTunes...
>> Surely you simply download a new copy from LimeWire?
>If I did that sort of thing I wouldnt be legally purchasing songs from
>iTunes in the first place.
If you legally purchased it in the first place, your conscience will
be clear, and there's next to know chance of anyone pursuing you for
such an infrequent bit of downloading.
>Also, many of the tracks on LimeWare seem to be quite bad quality. I am
>told...
Most are MP3 rips from CDs, so the file size will usually tell you all
you need to know about the quality.
I have never had an iPod or used iTunes - is there no method of
backing the stuff up to a PC? I have been told that HDD failures are
pretty common in such portable devices.
--
Cynic
news:ceN_f.51421$wl.687@text.news.blueyonder.co.uk...
> In uk.legal Cynic
>>>What about encrypted files?
>
>> What about them? The police cannot "crack" any reasonable encryption,
>> but might try a dictionary attack in case you have not used a
>> particularly good password. That's if they actually identify
>> encrypted data - which would depend upon (1) the program you used to
>> encrypt (does it create recognisable files?) and (2) whether the
>> police actually decide to search for encrypted data. The presence of
>> an encryption application could be used as evidence in a trial that
>> you were hiding data.
>
> Hmmm... that would make everyone running MACOSX 10.4 suspicious as
> an encryption option for a user's entire home directory is available
> as a standard part of the OS as is a secure 'empty trash' (i.e. delete).
>
Also in Windoze XP Professional and IIRC Windoze 2k.
There is an encrypted partition on my laptop precisely beause I do have
plenty to hide - from anyone who steals it.
"Cynic"
news:p28n32ljqo318ea6kq7vo238ag0lp4mv6b@4ax.com...
> On Tue, 11 Apr 2006 12:24:40 GMT, axel@white-eagle.invalid.uk wrote:
>
>>Hmmm... that would make everyone running MACOSX 10.4 suspicious as
>>an encryption option for a user's entire home directory is available
>>as a standard part of the OS as is a secure 'empty trash' (i.e. delete).
>
> It would only make it suspicious if the defendant was doing something
> that was considered to be unusual. If encryption software is bundled
> with the OS, it would not be suspicious if it were found on the PC.
> Just as sending a letter in an envelope instead of on a postcard is
> not seen as an indication that the sender was trying to hide the
> communication.
>
> Still, without any *other* evidence that there is anything illegal on
> the PC, people can be as suspicious as they like AFAIAC.
>
> I would not trust encryption that comes with an OS unless it was open
> source. Far too likely to have a deliberate back-door built in IMO.
>
Don't be silly. Microsoft would never do anything like that.
In uk.legal Cynic
> On Tue, 11 Apr 2006 13:40:52 +0100, "Richard Parkin"
>>>>Not in my experience with iTunes...
>>> Surely you simply download a new copy from LimeWire?
>>If I did that sort of thing I wouldnt be legally purchasing songs from
>>iTunes in the first place.
> If you legally purchased it in the first place, your conscience will
> be clear, and there's next to know chance of anyone pursuing you for
> such an infrequent bit of downloading.
>>Also, many of the tracks on LimeWare seem to be quite bad quality. I am
>>told...
> Most are MP3 rips from CDs, so the file size will usually tell you all
> you need to know about the quality.
> I have never had an iPod or used iTunes - is there no method of
> backing the stuff up to a PC? I have been told that HDD failures are
> pretty common in such portable devices.
I don't have an iPod but I have experience with copying music onto
one. Essentially there is a copy of everything on the computer and
the iPod and they are kept in sync. Rather like a Palm. It is also
possible to manually copy across music from a different computer
than the one that is normally used.
I have not used iTunes... but ripping a CD places the music onto
the computer's hard drive after which it can be copied to the iPod.
I recently acquired an input device which allows me to make very
easy copies of cassttes... just as well since most of them are
fairly old and probably just about to die if they are played too
often... mainly language tapes so not easily replaced.
And of course it is perfectly easy to back up data from the computer's
hard drive... especially when these days storage is so cheap compared to
what it was a few years ago... I am still bemused that I have a 1 GB
memory card in my Palm that cost less than 50 quid. Not to mention
th 60 GB external hard drive that I got from Maplin for less than 100 quid.
Although now they are offering a 320 GB drive for about 130 quid... now
that interests my geek side although it would be totally useless for me
as my sum total of working files and photos is about 5 GB and that includes
a couple of O'Reilly 'bookshelves'.
Axel
Axel
some popular hard disk cloning utilities are Norton Ghost and Acronic
True Image....not to mention others....
In article <1145277470.852536.37780@i40g2000cwc.googlegroups.com>,
Nicols
>some popular hard disk cloning utilities are Norton Ghost and Acronic
>True Image....not to mention others....
Does Norton Ghost create a "full" image of every track and sector of a
disc whether they are used or not?
--
Mr X
> Acronis True Image will also resize the image for a different hard drive
> Very useful
Also potentially very dangerous - I tried to use it to move an install
from one drive to another, thinking i`d just resize the partition to
correct things later (its NTFS, you can resize NTFS...) rather than let
it do it at the time.
It installed the partition image just great, but it also buggered
something to do with the media descriptors, and now nothing can recover
the "missing" 5Gb difference between the drive it was on and the
partition of the drive I installed it to.
In article <25KdnYx4EZ24Jt7ZRVny0A@bt.com>, Smolley
>
>"Mr X"
>news:UD8JVDA3O5QEFw5I@privacy.net...
>> In article <1145277470.852536.37780@i40g2000cwc.googlegroups.com>,
>> Nicols
>>
>>>some popular hard disk cloning utilities are Norton Ghost and Acronic
>>>True Image....not to mention others....
>>
>> Does Norton Ghost create a "full" image of every track and sector of a
>> disc whether they are used or not?
>> --
>> Mr X
>
>Acronis True Image will also resize the image for a different hard drive, so
>in effect you can keep all your favourite programmes in one image and port
>it around to other computers.
That wasn't the question I asked
--
Mr X
"Mr X"
news:UD8JVDA3O5QEFw5I@privacy.net...
> In article <1145277470.852536.37780@i40g2000cwc.googlegroups.com>,
> Nicols
>
>>some popular hard disk cloning utilities are Norton Ghost and Acronic
>>True Image....not to mention others....
>
> Does Norton Ghost create a "full" image of every track and sector of a
> disc whether they are used or not?
> --
> Mr X
Acronis True Image will also resize the image for a different hard drive, so
in effect you can keep all your favourite programmes in one image and port
it around to other computers.
Very useful
Smolley
In article
> Does Norton Ghost create a "full" image of every track and sector of a
> disc whether they are used or not?
Not AFAIK - it copies the 'live' file system only.
marc
"Mr X"
news:UD8JVDA3O5QEFw5I@privacy.net...
> In article <1145277470.852536.37780@i40g2000cwc.googlegroups.com>,
> Nicols
>
>>some popular hard disk cloning utilities are Norton Ghost and Acronic
>>True Image....not to mention others....
>
> Does Norton Ghost create a "full" image of every track and sector of a
> disc whether they are used or not?
> --
> Mr X
Re: Norton Ghost
No. I don't believe it creates a bit stream image.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
In article
Kelloway
>"Mr X"
>news:UD8JVDA3O5QEFw5I@privacy.net...
>> In article <1145277470.852536.37780@i40g2000cwc.googlegroups.com>,
>> Nicols
>>
>>>some popular hard disk cloning utilities are Norton Ghost and Acronic
>>>True Image....not to mention others....
>>
>> Does Norton Ghost create a "full" image of every track and sector of a
>> disc whether they are used or not?
>> --
>> Mr X
>
>
>Re: Norton Ghost
>
>No. I don't believe it creates a bit stream image.
Thanks for that. I have Norton Ghost and I didn't think it did that.
So Norton Ghost is of no use for forensic purposes....
--
Mr X
On 18 Apr 2006 01:36:01 -0500, Mr X
>>Re: Norton Ghost
>>
>>No. I don't believe it creates a bit stream image.
>
>Thanks for that. I have Norton Ghost and I didn't think it did that.
>
>So Norton Ghost is of no use for forensic purposes....
I believe that all the normal disk imaging programs image only the
sectors marked as in use by the file system. This saves space for the
image file, but as you say, is useless for forensic purposes.
It is necessary to use an imaging program specifically designed for
forensic purposes - one that makes an exact sector image of the HDD.
It is a pretty trivial program to write, and would easily fit onto a
bootable floppy.
--
Cynic
In article <6ac94213eeqk18804dp448ueouji9qvkuj@4ax.com>, Cynic
>On 18 Apr 2006 01:36:01 -0500, Mr X
>
>>>Re: Norton Ghost
>>>
>>>No. I don't believe it creates a bit stream image.
>>
>>Thanks for that. I have Norton Ghost and I didn't think it did that.
>>
>>So Norton Ghost is of no use for forensic purposes....
>
>I believe that all the normal disk imaging programs image only the
>sectors marked as in use by the file system. This saves space for the
>image file, but as you say, is useless for forensic purposes.
>
>It is necessary to use an imaging program specifically designed for
>forensic purposes - one that makes an exact sector image of the HDD.
>It is a pretty trivial program to write, and would easily fit onto a
>bootable floppy.
Thanks for that -- I'm looking into buying a copy of X-Ways Forensics
(following your previous comments) as I am doing some studies and might
be tempted to take a "Forensic Computing" module.
If your email address is valid, I'll email you directly...
--
Mr X
On 18 Apr 2006 06:56:04 -0500, Mr X
>In article <6ac94213eeqk18804dp448ueouji9qvkuj@4ax.com>, Cynic
>
>
>>On 18 Apr 2006 01:36:01 -0500, Mr X
>>
>>>>Re: Norton Ghost
>>>>
>>>>No. I don't believe it creates a bit stream image.
>>>
>>>Thanks for that. I have Norton Ghost and I didn't think it did that.
>>>
>>>So Norton Ghost is of no use for forensic purposes....
>>
>>I believe that all the normal disk imaging programs image only the
>>sectors marked as in use by the file system. This saves space for the
>>image file, but as you say, is useless for forensic purposes.
>>
>>It is necessary to use an imaging program specifically designed for
>>forensic purposes - one that makes an exact sector image of the HDD.
>>It is a pretty trivial program to write, and would easily fit onto a
>>bootable floppy.
>
>Thanks for that -- I'm looking into buying a copy of X-Ways Forensics
>(following your previous comments) as I am doing some studies and might
>be tempted to take a "Forensic Computing" module.
>
>If your email address is valid, I'll email you directly...
Yes, it's valid.
--
Cynic
"Mr X"
news:W3XJoFAfNNREFwT8@privacy.net...
> In article <6ac94213eeqk18804dp448ueouji9qvkuj@4ax.com>, Cynic
>
>
>>On 18 Apr 2006 01:36:01 -0500, Mr X
>>
>>>>Re: Norton Ghost
>>>>
>>>>No. I don't believe it creates a bit stream image.
>>>
>>>Thanks for that. I have Norton Ghost and I didn't think it did that.
>>>
>>>So Norton Ghost is of no use for forensic purposes....
>>
>>I believe that all the normal disk imaging programs image only the
>>sectors marked as in use by the file system. This saves space for the
>>image file, but as you say, is useless for forensic purposes.
>>
>>It is necessary to use an imaging program specifically designed for
>>forensic purposes - one that makes an exact sector image of the HDD.
>>It is a pretty trivial program to write, and would easily fit onto a
>>bootable floppy.
>
> Thanks for that -- I'm looking into buying a copy of X-Ways Forensics
> (following your previous comments) as I am doing some studies and might
> be tempted to take a "Forensic Computing" module.
>
> If your email address is valid, I'll email you directly...
> --
> Mr X
X-Ways Forensics is one of several forensic programs I use. IMO it's an
excellent program that offers some pretty nice features for the price. In
particular I like the Gallery option in X-Ways better than that of what is
offered in EnCase.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".
In article <5751g.6389$sq5.2738@newsread2.news.atl.earthlink.net>, Don
Kelloway
>"Mr X"
>news:W3XJoFAfNNREFwT8@privacy.net...
>> Thanks for that -- I'm looking into buying a copy of X-Ways Forensics
>> (following your previous comments) as I am doing some studies and might
>> be tempted to take a "Forensic Computing" module.
>>
>> If your email address is valid, I'll email you directly...
>X-Ways Forensics is one of several forensic programs I use. IMO it's an
>excellent program that offers some pretty nice features for the price. In
>particular I like the Gallery option in X-Ways better than that of what is
>offered in EnCase.
Thanks for that. As part of the course I am on, eventually I have to do
a project and I am looking at making or implementing a FAT32 filing
system as part of an embedded CPU board/product that would be able to
detect any tampering with the disc contents, and include some sort of
audit trail so using a tool such as X-Ways might teach me a great deal
about the forensic aspects of FAT32 filing systems.
--
Mr X
Cynic
>I believe that all the normal disk imaging programs image only the
>sectors marked as in use by the file system. This saves space for the
>image file, but as you say, is useless for forensic purposes.
>
>It is necessary to use an imaging program specifically designed for
>forensic purposes - one that makes an exact sector image of the HDD.
>It is a pretty trivial program to write, and would easily fit onto a
>bootable floppy.
You don't have to write it, it's part of the basic tools in all
variants of Unix. IOW boot a Knoppix-CD, enter
dd if=/dev/
and wait until it's done. Appending bs=100k will increase the
buffer size and thus the speed.
--
The first entry of Sin into the mind occurs when, out of cowardice or
conformity or vanity, the Real is replaced by a comforting lie.
-- Integritas, Consonantia, Claritas
Cynic
> It is necessary to use an imaging program specifically designed for
> forensic purposes
No. Just use dd.
> one that makes an exact sector image of the HDD.
Yes.
> It is a pretty trivial program to write, and would easily fit onto a
> bootable floppy.
And even better, it already exists ;-)
Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain
On 18 Apr 2006 20:01:36 +0200, Wolfgang.Schelongowski@gmx.de wrote:
>Cynic
>
>>I believe that all the normal disk imaging programs image only the
>>sectors marked as in use by the file system. This saves space for the
>>image file, but as you say, is useless for forensic purposes.
>>
>>It is necessary to use an imaging program specifically designed for
>>forensic purposes - one that makes an exact sector image of the HDD.
>>It is a pretty trivial program to write, and would easily fit onto a
>>bootable floppy.
>
>You don't have to write it, it's part of the basic tools in all
>variants of Unix. IOW boot a Knoppix-CD, enter
> dd if=/dev/
>and wait until it's done. Appending bs=100k will increase the
>buffer size and thus the speed.
Will that make a perfect sector copy of the HDD? IOW could you swap
the HDD you have copied from with the HDD you copied to and not see
the difference? The fact that you copy to a *file* would indicate
that it does not.
The free version of Winhex for windows has, as part of its "Disk
tools" the facillity to do a raw sector copy of one entire HDD to
another. Select "copy disk", then selelect the *physical* drive to
copy from and the physical drive to copy to from the drop-downs, and
tick the "copy entire disk" box.
--
Cynic
Cynic
> Will that make a perfect sector copy of the HDD? IOW could you swap
> the HDD you have copied from with the HDD you copied to and not see
> the difference? The fact that you copy to a *file* would indicate
> that it does not.
Yes it does create a perfect sector copy. Do not forget that under
*nix everything is a file. To clone a disk you would just run
something like "dd if=/dev/hda of=/dev/hdb"
Wolfgang.Schelongowski@gmx.de wrote:
> Cynic
>
>> I believe that all the normal disk imaging programs image only the
>> sectors marked as in use by the file system. This saves space for the
>> image file, but as you say, is useless for forensic purposes.
>>
>> It is necessary to use an imaging program specifically designed for
>> forensic purposes - one that makes an exact sector image of the HDD.
>> It is a pretty trivial program to write, and would easily fit onto a
>> bootable floppy.
>
> You don't have to write it, it's part of the basic tools in all
> variants of Unix. IOW boot a Knoppix-CD, enter
> dd if=/dev/
> and wait until it's done. Appending bs=100k will increase the
> buffer size and thus the speed.
bs is blocksize, and depending on what your IDE controller is capable of
32K or 64K are the best choice (one DMA transfer block). The buffer
itself is managed by the kernel and usually some MB.
Graham Murray wrote:
> Cynic
>
>> Will that make a perfect sector copy of the HDD? IOW could you swap
>> the HDD you have copied from with the HDD you copied to and not see
>> the difference? The fact that you copy to a *file* would indicate
>> that it does not.
>
> Yes it does create a perfect sector copy. Do not forget that under
> *nix everything is a file. To clone a disk you would just run
> something like "dd if=/dev/hda of=/dev/hdb"
Even further, you can mount the created image file as if it was a real
harddisk, and you can mount it read-only.
Cynic
>On 18 Apr 2006 20:01:36 +0200, Wolfgang.Schelongowski@gmx.de wrote:
>
>>Cynic
>>
>>>It is necessary to use an imaging program specifically designed for
>>>forensic purposes - one that makes an exact sector image of the HDD.
>>>It is a pretty trivial program to write, and would easily fit onto a
>>>bootable floppy.
>>
>>You don't have to write it, it's part of the basic tools in all
>>variants of Unix. IOW boot a Knoppix-CD, enter
>> dd if=/dev/
>>and wait until it's done. Appending bs=100k will increase the
>>buffer size and thus the speed.
>
>Will that make a perfect sector copy of the HDD? IOW could you swap
>the HDD you have copied from with the HDD you copied to and not see
>the difference? The fact that you copy to a *file* would indicate
>that it does not.
If you use /dev/
dd if=/dev/hda of=/dev/hdg
copies the master on the first IDE-Bus to the master on the fourth
IDE-Bus. See also what others have written about it.
If your source disk has unreadable sector you can use dd_rescue
instead of dd ignore bad blocks.
Note also that the target disk will have the same partition table
as the original, no matter what physical size the target has.
>The free version of Winhex for windows has, as part of its "Disk
>tools" the facillity to do a raw sector copy of one entire HDD to
>another. Select "copy disk", then selelect the *physical* drive to
>copy from and the physical drive to copy to from the drop-downs, and
>tick the "copy entire disk" box.
Does the OS under which winhex runs boot from the disk, or do you even
have to install winhex on the disk? If any of both, you are modifying
your source before you copy. That's bad juju if you're doing a
forensic examination.
--
The first entry of Sin into the mind occurs when, out of cowardice or
conformity or vanity, the Real is replaced by a comforting lie.
-- Integritas, Consonantia, Claritas
On 20 Apr 2006 21:21:55 +0200, Wolfgang.Schelongowski@gmx.de wrote:
>>The free version of Winhex for windows has, as part of its "Disk
>>tools" the facillity to do a raw sector copy of one entire HDD to
>>another. Select "copy disk", then selelect the *physical* drive to
>>copy from and the physical drive to copy to from the drop-downs, and
>>tick the "copy entire disk" box.
>Does the OS under which winhex runs boot from the disk, or do you even
>have to install winhex on the disk? If any of both, you are modifying
>your source before you copy. That's bad juju if you're doing a
>forensic examination.
You should never even *mount* the evidential disk. Just accessing the
file system could result in writes to the disk (updating the "last
accessed" timestamp of files, for example, or marking the FAT if a bad
read is encountered). The idea with Windoze would be to have both the
evidential disk and the copy HDD on different IDE or SCSI ports to the
boot disk and OS. The problem with Windoze is that it will almost
certainly interrogate all the hardware it finds, and though it
*shouldn't* write to any new HDD it finds, who knows exactly what
Windoze might do? If it is possible to use a cable that prevents HDD
writes, then that should be used on the evidential HDD.
You are quite correct that Unix is a better system to use, as its
operation is more transparent and it can be booted from read-only
media. Though even there I believe it interrogates the HDD busses at
boot time - you need to be 100% certain that it does not perform any
write operations.
Best is to use purpose-built "black box" hardware that has the sole
purpose of making HDD copies. This will not use any normal operating
system, but will contain a modest embedded CPU (I have built such a
device using a Z80 CPU) with custom firmware designed only to perform
a sector copy and verification. Being purpose-built, it can have
various features to speed up the job tremendously, such as making
multiple copies at the same time, and maybe a DVD writer so that the
HDD is split and burnt onto non-volatile storage. Being small and
portable, it is also the best way to clone disks on-site in cases
where evidence is required but there is a desire to minimise the
down-time of the evidential system.
Any such "black box" should be independently certified as to its
correct functionality before using to create evidence for a Court.
--
Cynic
Cynic wrote:
> You should never even *mount* the evidential disk. Just accessing the
> file system could result in writes to the disk (updating the "last
> accessed" timestamp of files, for example, or marking the FAT if a bad
> read is encountered).
Unix supports mounting read-only, but I wouldn't rely on that.
> If it is possible to use a cable that prevents HDD
> writes, then that should be used on the evidential HDD.
Build it yourself: Cut Pin #28 of a 40-pole IDE cable. No need for any
special forensic box, standard hardware is pretty fine for the job.
"Sebastian Gottschalk"
news:4arlrgFuluseU1@news.dfncis.de...
> Cynic wrote:
>
>> You should never even *mount* the evidential disk. Just accessing the
>> file system could result in writes to the disk (updating the "last
>> accessed" timestamp of files, for example, or marking the FAT if a bad
>> read is encountered).
>
> Unix supports mounting read-only, but I wouldn't rely on that.
>
>> If it is possible to use a cable that prevents HDD
>> writes, then that should be used on the evidential HDD.
>
> Build it yourself: Cut Pin #28 of a 40-pole IDE cable. No need for any
> special forensic box, standard hardware is pretty fine for the job.
How will that help? Pin 28 is 'Cable Select' for determining which drive is
Master and Slave.
"The Electric Fan Club"
message news:4448aa6c$1_1@glkas0286.greenlnk.net...
>
> "Sebastian Gottschalk"
> news:4arlrgFuluseU1@news.dfncis.de...
>> Cynic wrote:
>>
>>> You should never even *mount* the evidential disk. Just accessing the
>>> file system could result in writes to the disk (updating the "last
>>> accessed" timestamp of files, for example, or marking the FAT if a bad
>>> read is encountered).
>>
>> Unix supports mounting read-only, but I wouldn't rely on that.
>>
>>> If it is possible to use a cable that prevents HDD
>>> writes, then that should be used on the evidential HDD.
>>
>> Build it yourself: Cut Pin #28 of a 40-pole IDE cable. No need for any
>> special forensic box, standard hardware is pretty fine for the job.
>
> How will that help? Pin 28 is 'Cable Select' for determining which drive
> is Master and Slave.
To ellucidate, cutting pin 28 will make the drive think that it is a slave.
Grounding it makes the drive a Master.
The Electric Fan Club wrote:
>>> If it is possible to use a cable that prevents HDD
>>> writes, then that should be used on the evidential HDD.
>> Build it yourself: Cut Pin #28 of a 40-pole IDE cable. No need for any
>> special forensic box, standard hardware is pretty fine for the job.
>
> How will that help? Pin 28 is 'Cable Select' for determining which drive is
> Master and Slave.
Sorry, Pin #23. The interesting point is that is will keep on working,
but the IDE controller will recognize that every write fails and the
operating system will interpret it as a read-only device. BTST with
Linux and Windows.
On Fri, 21 Apr 2006 11:09:17 +0200, Sebastian Gottschalk
>> If it is possible to use a cable that prevents HDD
>> writes, then that should be used on the evidential HDD.
>Build it yourself: Cut Pin #28 of a 40-pole IDE cable. No need for any
>special forensic box, standard hardware is pretty fine for the job.
Yes - as I said, "if it is possible". Easy with an IDE drive, but it
could be a SCSI or SATA HDD or a USB memory card/ HDD.
--
Cynic
Cynic wrote:
>>> If it is possible to use a cable that prevents HDD
>>> writes, then that should be used on the evidential HDD.
>
>> Build it yourself: Cut Pin #28 of a 40-pole IDE cable. No need for any
>> special forensic box, standard hardware is pretty fine for the job.
>
> Yes - as I said, "if it is possible". Easy with an IDE drive, but it
> could be a SCSI or SATA HDD
For SCSI you have special controller commands to get into a read-only
mode, for SATA you can use an IDE-SATA-adapater.
> or a USB memory card/ HDD.
Yeah, that's the tricky case. At least for memory cards you'll most
likely have a write-protect switch, but HDDs definitely need to be
transfered to a serious controller interface.