Thanks Neil, but the purpose is to make use of a tool which does only one job and is so transparently simple that it can be accepted by non-technical people in court as valid for legal purposes. After all this *is* forensics! No way could you defend a complex system like Linux on this basis, particularly taking into account the way is has been developed. Mike Barwise Computer Security Awareness "Addressing the Human Equation in Information Security" > Mike, > > this may be real redundant information, but that stardard unix utility dd > will do exactly what you;re talking about, and if you're using something > linux or freeBSD, the source code is completely avaiable. > > just something to ponder. > > Neil > > Once upon a time, Michael D. Barwise, BSc, IEng, MIIE, then known as mike, > said... > My ideal disk copier would be a very basic PC, probably one of > those > compact industrial single-board ones, with a truly blank target > disk and a > spare port, running nothing except a custom-written native > application > which does nothing except read literal sectors from one hard > disk to > another (no OS). This application would be booted from floppy > disk to start > the copy process. The required code, if written in > assembler, would be so > small that it *could* be verified and certified > by anyone competent to read > the source code. > > The reason we don't use > disk imaging software is probably that we don't > know and can't find out > what it is doing in detail (that's proprietary > information). Many disk > imagers compress their archives in an unspecified > manner, and many use > file-level copying, which both alters the layout of the > copy and omits > free and deleted space, losing a useful source of evidence. > > Mike > Barwise > Computer Security Awareness > > "Addressing the Human Equation > in Information Security" > > > > >Thanks Marian > > > > > >At last someone > is asking the right questions. > > > > > >My view is that one should > ideally *never* try to carry out a disk > > >imaging > > in > > >place on > a suspect computer. > > > > Yes, you are right, but you know it is not > possible in many cases. > > > > >I would go equipped with a dedicated > clean > > >"imager" PC onto which the suspect drive can be connected. This > need be > > >no more than a simple PC with a spare IDE (and possibly a > spare SCSI) > > >port and a power cable splitter. As it would never be > used for anything > > other > > >than imaging, it could be kept clean and > certified. > > > > This is the right place for the next "right" question: > > > > > What is the "clean and certified" computer? > > > > Computer is > allways "sophistical" machine and each program, driver, > > system,... > > > must be cerified to clearly state that all computer is cerified. > > > Certification in forensic science is not only technical, > > but the > juridical proces. I have some (not pleasant) experience with > > > certification ;-( > > The best way for success cetification (no matter > what certificaction > > criteria you have) > > is to certificate as simple > device as possible. For this reason I have > > next (may be) "right" > question: > > > > Why a HW disk imaging tools (HW disk duplicators) are > not used? > > > > They have all advantages (except price ;-). > > > Simplicity, speed, safety, electronic signature, they need not so high > > > qualify oeration and handling... > > > > > > > >Michael D. Barwise, BSc, > IEng, MIIE > > >Computer Security Awareness > > >tel +44 (0)1442 266534 > > > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing the > Human Equation in Information Security > > > > > ____________________________________ > > Marian Svetlik > > Principal > Consultant > > > > Risk Analysis Consultants > > Narodni 9, 110 00 > Praha 1 > > Czech Republic > > > > Tel.: +420 2 220 75 352 Fax: > +420 2 242 28 273 > > mail: svetlikat_private http://www.rac.cz > > > Michael D. Barwise, BSc, IEng, MIIE Computer Security Awareness tel +44 (0)1442 266534 http://www.ComputerSecurityAwareness.com Addressing the Human Equation in Information Security ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:54:38 PDT