I'm probably missing something, but are you suggesting the tool does its work independent of any OS at all? Neat trick! Either it will have its own integrated equivalent of a *real minimal* OS or it will sit on top of one. What alternative do you propose? Given that the Linux source is available, you could certainly build a minimalist version. (Note I am not saying it could be smaller than a dedicated, purpose-built *real minimal" system, only that it could be made very lean and mean by OS standards.) The same is true for other open OS's, of course. "Michael D. Barwise, BSc, IEng, MIIE" wrote: > > Thanks Neil, but the purpose is to make use of a tool which does only one > job and is so transparently simple that it can be accepted by non-technical > people in court as valid for legal purposes. After all this *is* forensics! No > way could you defend a complex system like Linux on this basis, > particularly taking into account the way is has been developed. > > Mike Barwise > Computer Security Awareness > > "Addressing the Human Equation in Information Security" > > > Mike, > > > > this may be real redundant information, but that stardard unix utility dd > > will do exactly what you;re talking about, and if you're using something > > linux or freeBSD, the source code is completely avaiable. > > > > just something to ponder. > > > > Neil > > > > Once upon a time, Michael D. Barwise, BSc, IEng, MIIE, then known as mike, > > said... > My ideal disk copier would be a very basic PC, probably one of > > those > compact industrial single-board ones, with a truly blank target > > disk and a > spare port, running nothing except a custom-written native > > application > which does nothing except read literal sectors from one hard > > disk to > another (no OS). This application would be booted from floppy > > disk to start > the copy process. The required code, if written in > > assembler, would be so > small that it *could* be verified and certified > > by anyone competent to read > the source code. > > The reason we don't use > > disk imaging software is probably that we don't > know and can't find out > > what it is doing in detail (that's proprietary > information). Many disk > > imagers compress their archives in an unspecified > manner, and many use > > file-level copying, which both alters the layout of the > copy and omits > > free and deleted space, losing a useful source of evidence. > > Mike > > Barwise > Computer Security Awareness > > "Addressing the Human Equation > > in Information Security" > > > > >Thanks Marian > > > > > >At last someone > > is asking the right questions. > > > > > >My view is that one should > > ideally *never* try to carry out a disk > > >imaging > > in > > >place on > > a suspect computer. > > > > Yes, you are right, but you know it is not > > possible in many cases. > > > > >I would go equipped with a dedicated > > clean > > >"imager" PC onto which the suspect drive can be connected. This > > need be > > >no more than a simple PC with a spare IDE (and possibly a > > spare SCSI) > > >port and a power cable splitter. As it would never be > > used for anything > > other > > >than imaging, it could be kept clean and > > certified. > > > > This is the right place for the next "right" question: > > > > > > What is the "clean and certified" computer? > > > > Computer is > > allways "sophistical" machine and each program, driver, > > system,... > > > > must be cerified to clearly state that all computer is cerified. > > > > Certification in forensic science is not only technical, > > but the > > juridical proces. I have some (not pleasant) experience with > > > > certification ;-( > > The best way for success cetification (no matter > > what certificaction > > criteria you have) > > is to certificate as simple > > device as possible. For this reason I have > > next (may be) "right" > > question: > > > > Why a HW disk imaging tools (HW disk duplicators) are > > not used? > > > > They have all advantages (except price ;-). > > > > Simplicity, speed, safety, electronic signature, they need not so high > > > > qualify oeration and handling... > > > > > > > >Michael D. Barwise, BSc, > > IEng, MIIE > > >Computer Security Awareness > > >tel +44 (0)1442 266534 > > > > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing the > > Human Equation in Information Security > > > > > > ____________________________________ > > Marian Svetlik > > Principal > > Consultant > > > > Risk Analysis Consultants > > Narodni 9, 110 00 > > Praha 1 > > Czech Republic > > > > Tel.: +420 2 220 75 352 Fax: > > +420 2 242 28 273 > > mail: svetlikat_private http://www.rac.cz > > > > > > Michael D. Barwise, BSc, IEng, MIIE > Computer Security Awareness > tel +44 (0)1442 266534 > http://www.ComputerSecurityAwareness.com > > Addressing the Human Equation in Information Security > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 15:52:31 PDT