Let?s have real situation: Problem: You have to make image of disk on crime scene. You have: - set of diskettes with well-known forensic tools - large external storage media (large HDD with parallel port connection) Short solution: - properly connect external storage media to suspected computer - boot suspected computer form prepared forensic diskette - run forensic disk imaging tool and make image of disk to external media Very nice and simple, but... What it means ?boot suspected computer?? Let?s go to detailed description of each step of this ?simple? process: - insert diskette to drive A: (in 20% cases it is useless - out of work, dusty,...) - switch on computer (Where is the switch? Is it mechanical or electronic? ...) - BIOS is starting... (What is the booting sequence? How you can verify it? You have to go to BOIS setup and you have only about 5 sec for it! How you can quickly and securely start BIOS setup? Is BIOS password protected? ...) - booting sequence is right and your system is booting from floppy (What system you have to use? MSDOS, Linux, ...? What version? Are you absolutely sure about read-only feature of system starting process?) - OK, your system correctly started. You have to load device driver to connect your external HDD. (But parallel port is out of service, or it have nonstandard INT or address and your diver not identified it. ... What to do?) - OK, you can start your famous forensic disk imaging software with MD5 feature! My question is why we widely discus about safety of disk imaging SW and questions above are neglected? Where are the great risks? What risk is greater? Some may be solved by training, but not all of them. ____________________________________ Marian Svetlik Principal Consultant Risk Analysis Consultants Narodni 9, 110 00 Praha 1 Czech Republic Tel.: +420 2 220 75 352 Fax: +420 2 242 28 273 mail: svetlikat_private http://www.rac.cz
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 15:10:02 PDT