Re: Where are greater risks?

From: Michael D. Barwise, BSc, IEng, MIIE (mikeat_private)
Date: Wed Jun 27 2001 - 10:50:42 PDT

Next message: sarnoldat_private: "Re: Where are greater risks?"

Previous message: Dave Dittrich: "Re: wipe utilities"
Next in thread: Dan Jones: "Re: Where are greater risks?"
Next in thread: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Reply: Dan Jones: "Re: Where are greater risks?"
Reply: Michael H. Warfield: "Re: Where are greater risks?"
Reply: James Holley: "RE: Where are greater risks?"
Reply: mpepe CM: "Re: Where are greater risks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks Neil, but the purpose is to make use of a tool which does only one 
job and is so transparently simple that it can be accepted by non-technical 
people in court as valid for legal purposes. After all this *is* forensics! No 
way could you defend a complex system like Linux on this basis, 
particularly taking into account the way is has been developed.

Mike Barwise
Computer Security Awareness

"Addressing the Human Equation in Information Security"

> Mike,
> 
> this may be real redundant information, but that stardard unix utility dd
> will do exactly what you;re talking about, and if you're using something
> linux or freeBSD, the source code is completely avaiable.
> 
> just something to ponder.
> 
> Neil
> 
> Once upon a time, Michael D. Barwise, BSc, IEng, MIIE, then known as mike,
> said... > My ideal disk copier would be a very basic PC, probably one of
> those > compact industrial single-board ones, with a truly blank target
> disk and a > spare port, running nothing except a custom-written native
> application > which does nothing except read literal sectors from one hard
> disk to > another (no OS). This application would be booted from floppy
> disk to start > the copy process. The required code, if written in
> assembler, would be so > small that it *could* be verified and certified
> by anyone competent to read > the source code. > > The reason we don't use
> disk imaging software is probably that we don't > know and can't find out
> what it is doing in detail (that's proprietary > information). Many disk
> imagers compress their archives in an unspecified > manner, and many use
> file-level copying, which both alters the layout of the > copy and omits
> free and deleted space, losing a useful source of evidence. > > Mike
> Barwise > Computer Security Awareness > > "Addressing the Human Equation
> in Information Security" > > > > >Thanks Marian > > > > > >At last someone
> is asking the right questions. > > > > > >My view is that one should
> ideally *never* try to carry out a disk > > >imaging > > in > > >place on
> a suspect computer. > > > > Yes, you are right, but you know it is not
> possible in many cases. > > > > >I would go equipped with a dedicated
> clean > > >"imager" PC onto which the suspect drive can be connected. This
> need be > > >no more than a simple PC with a spare IDE (and possibly a
> spare SCSI) > > >port and a power cable splitter. As it would never be
> used for anything > > other > > >than imaging, it could be kept clean and
> certified. > > > > This is the right place for the next "right" question:
> > > > > What is the "clean and certified" computer? > > > > Computer is
> allways "sophistical" machine and each program, driver, > > system,... > >
> must be cerified to clearly state that all computer is cerified. > >
> Certification in forensic science is not only technical, > > but the
> juridical proces. I have some (not pleasant) experience with > >
> certification ;-( > > The best way for success cetification (no matter
> what certificaction > > criteria you have) > > is to certificate as simple
> device as possible. For this reason I have > > next (may be) "right"
> question: > > > > Why a HW disk imaging tools (HW disk duplicators) are
> not used? > > > > They have all advantages (except price ;-). > >
> Simplicity, speed, safety, electronic signature, they need not so high > >
> qualify oeration and handling... > > > > > > > >Michael D. Barwise, BSc,
> IEng, MIIE > > >Computer Security Awareness > > >tel +44 (0)1442 266534 >
> > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing the
> Human Equation in Information Security > > > >
> ____________________________________ > > Marian Svetlik > > Principal
> Consultant > > > > Risk Analysis Consultants > > Narodni 9,      110 00
> Praha 1 > > Czech Republic > > > > Tel.:   +420 2 220 75 352    Fax:   
> +420 2 242 28 273 > > mail:   svetlikat_private           http://www.rac.cz >
> > 


Michael D. Barwise, BSc, IEng, MIIE
Computer Security Awareness
tel +44 (0)1442 266534
http://www.ComputerSecurityAwareness.com

Addressing the Human Equation in Information Security

-----------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: sarnoldat_private: "Re: Where are greater risks?"
Previous message: Dave Dittrich: "Re: wipe utilities"
Next in thread: Dan Jones: "Re: Where are greater risks?"
Next in thread: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Reply: Dan Jones: "Re: Where are greater risks?"
Reply: Michael H. Warfield: "Re: Where are greater risks?"
Reply: James Holley: "RE: Where are greater risks?"
Reply: mpepe CM: "Re: Where are greater risks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:54:38 PDT