Mike, Actually, we (government organizations, private industry, and myself) have been using Linux and the BSD variants in all types of criminal and CI cases at the Federal level for over 6 years (that I am personally aware of). What becomes important during legal proceedings is the experience of the analyst performing the work. If an analyst has been through an EnCase training session and has processed only a few cases, that person will probably have difficulty explaining the forensic process in a coherent manner to either an AUSA or defense attorney. If your standard "computer security" guy feels that an incident has the possiblity of entering a courtroom or other legal proceeding and he does not have the prerequisite experience to perform a true forensic duplication, he should seek help of someone who is more experienced. -- Matt Pepe If the judging body does not understand "dd", good luck getting them to understand any computer evidence. -- Kevin Mandia Quoting "Michael D. Barwise, BSc, IEng, MIIE" <mikeat_private>: > Thanks Neil, but the purpose is to make use of a tool which does only > one > job and is so transparently simple that it can be accepted by > non-technical > people in court as valid for legal purposes. After all this *is* > forensics! No > way could you defend a complex system like Linux on this basis, > particularly taking into account the way is has been developed. > > Mike Barwise > Computer Security Awareness > > "Addressing the Human Equation in Information Security" > > > Mike, > > > > this may be real redundant information, but that stardard unix utility > dd > > will do exactly what you;re talking about, and if you're using > something > > linux or freeBSD, the source code is completely avaiable. > > > > just something to ponder. > > > > Neil > > > > Once upon a time, Michael D. Barwise, BSc, IEng, MIIE, then known as > mike, > > said... > My ideal disk copier would be a very basic PC, probably one > of > > those > compact industrial single-board ones, with a truly blank > target > > disk and a > spare port, running nothing except a custom-written > native > > application > which does nothing except read literal sectors from one > hard > > disk to > another (no OS). This application would be booted from > floppy > > disk to start > the copy process. The required code, if written in > > assembler, would be so > small that it *could* be verified and > certified > > by anyone competent to read > the source code. > > The reason we don't > use > > disk imaging software is probably that we don't > know and can't find > out > > what it is doing in detail (that's proprietary > information). Many > disk > > imagers compress their archives in an unspecified > manner, and many > use > > file-level copying, which both alters the layout of the > copy and > omits > > free and deleted space, losing a useful source of evidence. > > Mike > > Barwise > Computer Security Awareness > > "Addressing the Human > Equation > > in Information Security" > > > > >Thanks Marian > > > > > >At last > someone > > is asking the right questions. > > > > > >My view is that one should > > ideally *never* try to carry out a disk > > >imaging > > in > > >place > on > > a suspect computer. > > > > Yes, you are right, but you know it is > not > > possible in many cases. > > > > >I would go equipped with a > dedicated > > clean > > >"imager" PC onto which the suspect drive can be connected. > This > > need be > > >no more than a simple PC with a spare IDE (and possibly > a > > spare SCSI) > > >port and a power cable splitter. As it would never > be > > used for anything > > other > > >than imaging, it could be kept clean > and > > certified. > > > > This is the right place for the next "right" > question: > > > > > > What is the "clean and certified" computer? > > > > Computer > is > > allways "sophistical" machine and each program, driver, > > system,... > > > > > must be cerified to clearly state that all computer is cerified. > > > > Certification in forensic science is not only technical, > > but the > > juridical proces. I have some (not pleasant) experience with > > > > certification ;-( > > The best way for success cetification (no > matter > > what certificaction > > criteria you have) > > is to certificate as > simple > > device as possible. For this reason I have > > next (may be) "right" > > question: > > > > Why a HW disk imaging tools (HW disk duplicators) > are > > not used? > > > > They have all advantages (except price ;-). > > > > Simplicity, speed, safety, electronic signature, they need not so high > > > > > qualify oeration and handling... > > > > > > > >Michael D. Barwise, > BSc, > > IEng, MIIE > > >Computer Security Awareness > > >tel +44 (0)1442 > 266534 > > > > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing > the > > Human Equation in Information Security > > > > > > ____________________________________ > > Marian Svetlik > > > Principal > > Consultant > > > > Risk Analysis Consultants > > Narodni 9, 110 > 00 > > Praha 1 > > Czech Republic > > > > Tel.: +420 2 220 75 352 Fax: > > > +420 2 242 28 273 > > mail: svetlikat_private > http://www.rac.cz > > > > > > > Michael D. Barwise, BSc, IEng, MIIE > Computer Security Awareness > tel +44 (0)1442 266534 > http://www.ComputerSecurityAwareness.com > > Addressing the Human Equation in Information Security > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 07:38:32 PDT