As I was initiator of "where are greater risks" I like to make some comments. You can see that when you start to talk about linux (or other OS) and about dd (or other SW) a lot of questions are borning (and technical problems too). It is fine that you have great technical skills to see and solve technical problems, but it is not good signal for finding "forensic solution". Michael made nice conclusion : >the purpose is to make use of a tool which does only one >job and is so transparently simple that it can be accepted by non-technical >people in court as valid for legal purposes. After all this *is* forensics! You should feel differeces between technical and forensic problems and I think Michael is right! We have to try to find simple (forensicly sounded!) process (methode) for making disk image. I am not sure a PC with some OS and some SW is right forensic one. My experience is that it is too dangerous for us, because non-technical people in court cannot feel differences between your technical arguments and "clever arguments" form the other side of lawsuit. (sorry for my English ;-) ____________________________________ Marian Svetlik Principal Consultant Risk Analysis Consultants Narodni 9, 110 00 Praha 1 Czech Republic Tel.: +420 2 220 75 352 Fax: +420 2 242 28 273 mail: svetlikat_private http://www.rac.cz "Michael D. Barwise, BSc, IEng, MIIE" To: Neil Bliss <yodaat_private> <mike@computersecurityawar cc: forensicsat_private eness.com> Subject: Re: Where are greater risks? 27.06.2001 19:50 Please respond to mail Thanks Neil, but the purpose is to make use of a tool which does only one job and is so transparently simple that it can be accepted by non-technical people in court as valid for legal purposes. After all this *is* forensics! No way could you defend a complex system like Linux on this basis, particularly taking into account the way is has been developed. Mike Barwise Computer Security Awareness "Addressing the Human Equation in Information Security" > Mike, > > this may be real redundant information, but that stardard unix utility dd > will do exactly what you;re talking about, and if you're using something > linux or freeBSD, the source code is completely avaiable. > > just something to ponder. > > Neil > > Once upon a time, Michael D. Barwise, BSc, IEng, MIIE, then known as mike, > said... > My ideal disk copier would be a very basic PC, probably one of > those > compact industrial single-board ones, with a truly blank target > disk and a > spare port, running nothing except a custom-written native > application > which does nothing except read literal sectors from one hard > disk to > another (no OS). This application would be booted from floppy > disk to start > the copy process. The required code, if written in > assembler, would be so > small that it *could* be verified and certified > by anyone competent to read > the source code. > > The reason we don't use > disk imaging software is probably that we don't > know and can't find out > what it is doing in detail (that's proprietary > information). Many disk > imagers compress their archives in an unspecified > manner, and many use > file-level copying, which both alters the layout of the > copy and omits > free and deleted space, losing a useful source of evidence. > > Mike > Barwise > Computer Security Awareness > > "Addressing the Human Equation > in Information Security" > > > > >Thanks Marian > > > > > >At last someone > is asking the right questions. > > > > > >My view is that one should > ideally *never* try to carry out a disk > > >imaging > > in > > >place on > a suspect computer. > > > > Yes, you are right, but you know it is not > possible in many cases. > > > > >I would go equipped with a dedicated > clean > > >"imager" PC onto which the suspect drive can be connected. This > need be > > >no more than a simple PC with a spare IDE (and possibly a > spare SCSI) > > >port and a power cable splitter. As it would never be > used for anything > > other > > >than imaging, it could be kept clean and > certified. > > > > This is the right place for the next "right" question: > > > > > What is the "clean and certified" computer? > > > > Computer is > allways "sophistical" machine and each program, driver, > > system,... > > > must be cerified to clearly state that all computer is cerified. > > > Certification in forensic science is not only technical, > > but the > juridical proces. I have some (not pleasant) experience with > > > certification ;-( > > The best way for success cetification (no matter > what certificaction > > criteria you have) > > is to certificate as simple > device as possible. For this reason I have > > next (may be) "right" > question: > > > > Why a HW disk imaging tools (HW disk duplicators) are > not used? > > > > They have all advantages (except price ;-). > > > Simplicity, speed, safety, electronic signature, they need not so high > > > qualify oeration and handling... > > > > > > > >Michael D. Barwise, BSc, > IEng, MIIE > > >Computer Security Awareness > > >tel +44 (0)1442 266534 > > > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing the > Human Equation in Information Security > > > > > ____________________________________ > > Marian Svetlik > > Principal > Consultant > > > > Risk Analysis Consultants > > Narodni 9, 110 00 > Praha 1 > > Czech Republic > > > > Tel.: +420 2 220 75 352 Fax: > +420 2 242 28 273 > > mail: svetlikat_private http://www.rac.cz > > > Michael D. Barwise, BSc, IEng, MIIE Computer Security Awareness tel +44 (0)1442 266534 http://www.ComputerSecurityAwareness.com Addressing the Human Equation in Information Security ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 16:04:43 PDT