RE: CRIME And finally

From: Nick Murphy (nmurphy@private)
Date: Fri Aug 01 2003 - 09:55:49 PDT

Next message: Jim Wood: "RE: CRIME And finally"

Previous message: Arthur Strutzenberg: "RE: CRIME And finally"
Next in thread: Jim Wood: "RE: CRIME And finally"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have used a drive duplicator (http://www.proworkstation.com/) to create a bit by bit image of the drive to another drive.  This drive duplicator does not make any changes to the original disk, so your imaged drive is free to use and you will not cause any damage to the evidence.
If you live in the windows world, or any OS, and have a drive that runs windows you should never boot to those drives.  You ruin your evidence the second you do that because you will overwrite sectors and timestamps and some system files will change.
Another thing to add, keep a chain of evidence and a log of everything that has been done and make sure the evidence is always locked in a secure place.
 
Nick Murphy

	-----Original Message----- 
	From: Arthur Strutzenberg [mailto:arthur.strutzenberg@private] 
	Sent: Fri 8/1/2003 9:26 AM 
	To: 'Jim Wood' 
	Cc: crime@private 
	Subject: RE: CRIME And finally
	
	

	This may sound crazy...but if these devices are mountable as drives and
	you live in the Windows world, what if you were to use something like
	Winimage to make an exact bit for bit copy of the device?
	
	Not sure on the admissibility of this and this gets to a question I have
	for the group-- what is required to preserve computer evidence,
	especially when you conduct a forensic investigation?
	
	--Arthur Strutzenberg
	
	------------------------------------------------------
	Arthur Strutzenberg        Swan Island Networks Inc
	
	arthur.strutzenberg@private
	http://www.swanisland.net
	
	(503)-796-7926 (x20)
	------------------------------------------------------
	
	
	-----Original Message-----
	From: owner-crime@private [mailto:owner-crime@private] On Behalf
	Of Jim Wood
	Sent: Thursday, July 31, 2003 6:53 PM
	To: crime@private
	Subject: CRIME And finally
	
	Thanks you so much to all of you for your help today with my search for
	MD5 and SHA software.  It is great to have a resource like this where
	everyone is working together for a central cause - ( Kinda communistic
	huh??)
	
	I am looking for advice now on making working copies of media such as
	thumbdrives, flashdrives, SD cards, etc.  I have  a process in place
	that works and is admissible as evidence, but I am open to better
	techniques / software that would simplify this in the future.
	
	JW
	
	Jim Wood
	jwood@private
	MW Technology Group Inc
	
	
	---
	Outgoing mail is certified Virus Free.
	Checked by AVG anti-virus system (http://www.grisoft.com).
	Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003

Next message: Jim Wood: "RE: CRIME And finally"
Previous message: Arthur Strutzenberg: "RE: CRIME And finally"
Next in thread: Jim Wood: "RE: CRIME And finally"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 10:05:05 PDT