From: <svetlikat_private> Subject: Where are greater risks? To: cfttat_private, forensicsat_private Date sent: Fri, 22 Jun 2001 10:05:24 +0200 > Let?s have real situation: > > Problem: > You have to make image of disk on crime scene. > > You have: > - set of diskettes with well-known forensic tools > - large external storage media (large HDD with parallel port connection) > > Short solution: > - properly connect external storage media to suspected computer > - boot suspected computer form prepared forensic diskette > - run forensic disk imaging tool and make image of disk to external media > > Very nice and simple, but... What it means ?boot suspected computer?? > > Let?s go to detailed description of each step of this ?simple? process: > > - insert diskette to drive A: (in 20% cases it is useless - out of work, > dusty,...) > > - switch on computer (Where is the switch? Is it mechanical or electronic? > ...) > > - BIOS is starting... (What is the booting sequence? How you can verify > it? You have to go to BOIS setup and you have only about 5 sec for it! How > you can quickly and securely start BIOS setup? Is BIOS password protected? > ...) > > - booting sequence is right and your system is booting from floppy (What > system you have to use? MSDOS, Linux, ...? What version? Are you > absolutely sure about read-only feature of system starting process?) > > - OK, your system correctly started. You have to load device driver to > connect your external HDD. (But parallel port is out of service, or it > have nonstandard INT or address and your diver not identified it. ... What > to do?) > > - OK, you can start your famous forensic disk imaging software with MD5 > feature! > > My question is why we widely discus about safety of disk imaging SW and > questions above are neglected? Where are the great risks? What risk is > greater? Some may be solved by training, but not all of them. > ____________________________________ Marian Svetlik Principal Consultant > > Risk Analysis Consultants > Narodni 9, 110 00 Praha 1 > Czech Republic > > Tel.: +420 2 220 75 352 Fax: +420 2 242 28 273 > mail: svetlikat_private http://www.rac.cz Thanks Marian At last someone is asking the right questions. My view is that one should ideally *never* try to carry out a disk imaging in place on a suspect computer. I would go equipped with a dedicated clean "imager" PC onto which the suspect drive can be connected. This need be no more than a simple PC with a spare IDE (and possibly a spare SCSI) port and a power cable splitter. As it would never be used for anything other than imaging, it could be kept clean and certified. Michael D. Barwise, BSc, IEng, MIIE Computer Security Awareness tel +44 (0)1442 266534 http://www.ComputerSecurityAwareness.com Addressing the Human Equation in Information Security ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 22:02:23 PDT