At this time that is the product I am using in Windows,Linux is a different story. I currently process electronic evidence for law enforcement around my location. Winimage has worked fine in the past, and then generating an MD5 and comparing it against the original has been admissible in 2 previous cases I have been involved in. -Always be sure that the lock tab is in the locked position before imaging these items! As far as requirements for evidence; The copy of the hard drive, cd, or whatever other media you are processing must be an exact bit by bit copy of the original verifiable by MD5 or SHA ( SHA is the preferred now, as MD5 has some weaknesses, I am yet to have this challenged by a defense attorney in any of my cases, but I do know it has come up in recent cases.) The purpose of the bit by bit image is to preserve the "snapshot in time" of the suspects media involved in the potential crime(s). There are many aspects to evidence collection and preservation so it will be acceptable / admissible as evidence. There are many publications available from the DOJ on this very subject. Hope that answers some of your question on evidence, if you should need more info please feel free to shoot me email Jim Wood Forensic Examiner / President MW Technology Group Inc -----Original Message----- From: Arthur Strutzenberg [mailto:arthur.strutzenberg@private] Sent: Friday, August 01, 2003 8:26 AM To: 'Jim Wood' Cc: crime@private Subject: RE: CRIME And finally This may sound crazy...but if these devices are mountable as drives and you live in the Windows world, what if you were to use something like Winimage to make an exact bit for bit copy of the device? Not sure on the admissibility of this and this gets to a question I have for the group-- what is required to preserve computer evidence, especially when you conduct a forensic investigation? --Arthur Strutzenberg ------------------------------------------------------ Arthur Strutzenberg Swan Island Networks Inc arthur.strutzenberg@private http://www.swanisland.net (503)-796-7926 (x20) ------------------------------------------------------ -----Original Message----- From: owner-crime@private [mailto:owner-crime@private] On Behalf Of Jim Wood Sent: Thursday, July 31, 2003 6:53 PM To: crime@private Subject: CRIME And finally Thanks you so much to all of you for your help today with my search for MD5 and SHA software. It is great to have a resource like this where everyone is working together for a central cause - ( Kinda communistic huh??) I am looking for advice now on making working copies of media such as thumbdrives, flashdrives, SD cards, etc. I have a process in place that works and is admissible as evidence, but I am open to better techniques / software that would simplify this in the future. JW Jim Wood jwood@private MW Technology Group Inc --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 10:05:23 PDT