On Mon, Jun 25, 2001 at 04:04:45PM +0100, Michael D. Barwise, BSc, IEng, MIIE wrote: > My ideal disk copier would be a very basic PC, probably one of those > compact industrial single-board ones, with a truly blank target disk and a > spare port, running nothing except a custom-written native application > which does nothing except read literal sectors from one hard disk to > another (no OS). This application would be booted from floppy disk to start > the copy process. The required code, if written in assembler, would be so > small that it *could* be verified and certified by anyone competent to read > the source code. > The reason we don't use disk imaging software is probably that we don't > know and can't find out what it is doing in detail (that's proprietary > information). Many disk imagers compress their archives in an unspecified > manner, and many use file-level copying, which both alters the layout of the > copy and omits free and deleted space, losing a useful source of evidence. Boot the system from a Linux "Bootable Business Card" CD and use the "dd" application to copy between the raw devices (root device like /dev/hda or /dev/sda, not partitions like /dev/hda[1234567]). It doesn't get much more basic than that unless you want to do magnetic domain analysis or include the low level drive sync patterns (I think not). When done, use md5 on both the source and the destination to verify. Since it's all open source, you've got the sources to audit and verfy to your heart's content. Since it's done on the raw devices, all the deleted space, trailing space, sparce files, and inter-partition gaps and tables are all preserved bit for bit. If they weren't your md5 sums would fail. > Mike Barwise > Computer Security Awareness > "Addressing the Human Equation in Information Security" > > > > >Thanks Marian > > > > > >At last someone is asking the right questions. > > > > > >My view is that one should ideally *never* try to carry out a disk > > >imaging > > in > > >place on a suspect computer. > > > > Yes, you are right, but you know it is not possible in many cases. > > > > >I would go equipped with a dedicated clean > > >"imager" PC onto which the suspect drive can be connected. This need be > > >no more than a simple PC with a spare IDE (and possibly a spare SCSI) > > >port and a power cable splitter. As it would never be used for anything > > other > > >than imaging, it could be kept clean and certified. > > > > This is the right place for the next "right" question: > > > > What is the "clean and certified" computer? > > > > Computer is allways "sophistical" machine and each program, driver, > > system,... > > must be cerified to clearly state that all computer is cerified. > > Certification in forensic science is not only technical, > > but the juridical proces. I have some (not pleasant) experience with > > certification ;-( > > The best way for success cetification (no matter what certificaction > > criteria you have) > > is to certificate as simple device as possible. For this reason I have > > next (may be) "right" question: > > > > Why a HW disk imaging tools (HW disk duplicators) are not used? > > > > They have all advantages (except price ;-). > > Simplicity, speed, safety, electronic signature, they need not so high > > qualify oeration and handling... > > > > > > > >Michael D. Barwise, BSc, IEng, MIIE > > >Computer Security Awareness > > >tel +44 (0)1442 266534 > > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing the Human Equation in Information Security > > > > ____________________________________ > > Marian Svetlik > > Principal Consultant > > > > Risk Analysis Consultants > > Narodni 9, 110 00 Praha 1 > > Czech Republic > > > > Tel.: +420 2 220 75 352 Fax: +420 2 242 28 273 > > mail: svetlikat_private http://www.rac.cz > -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 08:44:56 PDT