My ideal disk copier would be a very basic PC, probably one of those compact industrial single-board ones, with a truly blank target disk and a spare port, running nothing except a custom-written native application which does nothing except read literal sectors from one hard disk to another (no OS). This application would be booted from floppy disk to start the copy process. The required code, if written in assembler, would be so small that it *could* be verified and certified by anyone competent to read the source code. The reason we don't use disk imaging software is probably that we don't know and can't find out what it is doing in detail (that's proprietary information). Many disk imagers compress their archives in an unspecified manner, and many use file-level copying, which both alters the layout of the copy and omits free and deleted space, losing a useful source of evidence. Mike Barwise Computer Security Awareness "Addressing the Human Equation in Information Security" > > >Thanks Marian > > > >At last someone is asking the right questions. > > > >My view is that one should ideally *never* try to carry out a disk > >imaging > in > >place on a suspect computer. > > Yes, you are right, but you know it is not possible in many cases. > > >I would go equipped with a dedicated clean > >"imager" PC onto which the suspect drive can be connected. This need be > >no more than a simple PC with a spare IDE (and possibly a spare SCSI) > >port and a power cable splitter. As it would never be used for anything > other > >than imaging, it could be kept clean and certified. > > This is the right place for the next "right" question: > > What is the "clean and certified" computer? > > Computer is allways "sophistical" machine and each program, driver, > system,... > must be cerified to clearly state that all computer is cerified. > Certification in forensic science is not only technical, > but the juridical proces. I have some (not pleasant) experience with > certification ;-( > The best way for success cetification (no matter what certificaction > criteria you have) > is to certificate as simple device as possible. For this reason I have > next (may be) "right" question: > > Why a HW disk imaging tools (HW disk duplicators) are not used? > > They have all advantages (except price ;-). > Simplicity, speed, safety, electronic signature, they need not so high > qualify oeration and handling... > > > > >Michael D. Barwise, BSc, IEng, MIIE > >Computer Security Awareness > >tel +44 (0)1442 266534 > >http://www.ComputerSecurityAwareness.com > > > >Addressing the Human Equation in Information Security > > ____________________________________ > Marian Svetlik > Principal Consultant > > Risk Analysis Consultants > Narodni 9, 110 00 Praha 1 > Czech Republic > > Tel.: +420 2 220 75 352 Fax: +420 2 242 28 273 > mail: svetlikat_private http://www.rac.cz
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 11:13:12 PDT