Date sent: Wed, 27 Jun 2001 19:20:39 From: djonesat_private (Dan Jones) Organization: The MITRE Corporation To: mail@computer-security-awareness.co.uk Copies to: yodaat_private (Neil Bliss), forensicsat_private Subject: Re: Where are greater risks? Hi Dan Yes, my idea (and it's only a suggestion) is that the copying engine does absolutely nothing except read sector X from disk A and write the data read to sector X of disk B, usinf a tiny native machine code routine. For IDE interfaces, this would be truly trivial. This reasoning is based on the possibility of a legal challenge to the concept of "exact copy". It would seem possible to cast doubt on the exactness of a disk copy if any "high level" process is used to perform the copying or it is performed over a complex OS, simply because a technically inexpert counsel or jury will be required to take this exactness on trust. However, the simple mechanism outlined would be explicable without ambiguity even to such an audience. The reason I thought of this was the numerous references to "stream copying". Of course, we are *not* really dealing with a stream here: we are transferring consecutive finite data blocks (sectors). Hence the suggestion. Mike Barwise Computer Security Awareness "Addressing the Human Equation in Information Security" > I'm probably missing something, but are you suggesting the tool does its > work independent of any OS at all? Neat trick! > > Either it will have its own integrated equivalent of a *real minimal* OS > or it will sit on top of one. What alternative do you propose? > > Given that the Linux source is available, you could certainly build a > minimalist version. (Note I am not saying it could be smaller than a > dedicated, purpose-built *real minimal" system, only that it could be made > very lean and mean by OS standards.) The same is true for other open > OS's, of course. > > "Michael D. Barwise, BSc, IEng, MIIE" wrote: > > > > Thanks Neil, but the purpose is to make use of a tool which does only > > one job and is so transparently simple that it can be accepted by > > non-technical people in court as valid for legal purposes. After all > > this *is* forensics! No way could you defend a complex system like Linux > > on this basis, particularly taking into account the way is has been > > developed. > > > > Mike Barwise > > Computer Security Awareness > > > > "Addressing the Human Equation in Information Security" > > > > > Mike, > > > > > > this may be real redundant information, but that stardard unix utility > > > dd will do exactly what you;re talking about, and if you're using > > > something linux or freeBSD, the source code is completely avaiable. > > > > > > just something to ponder. > > > > > > Neil > > > > > > Once upon a time, Michael D. Barwise, BSc, IEng, MIIE, then known as > > > mike, said... > My ideal disk copier would be a very basic PC, > > > probably one of those > compact industrial single-board ones, with a > > > truly blank target disk and a > spare port, running nothing except a > > > custom-written native application > which does nothing except read > > > literal sectors from one hard disk to > another (no OS). This > > > application would be booted from floppy disk to start > the copy > > > process. The required code, if written in assembler, would be so > > > > small that it *could* be verified and certified by anyone competent to > > > read > the source code. > > The reason we don't use disk imaging > > > software is probably that we don't > know and can't find out what it > > > is doing in detail (that's proprietary > information). Many disk > > > imagers compress their archives in an unspecified > manner, and many > > > use file-level copying, which both alters the layout of the > copy and > > > omits free and deleted space, losing a useful source of evidence. > > > > > Mike Barwise > Computer Security Awareness > > "Addressing the Human > > > Equation in Information Security" > > > > >Thanks Marian > > > > > >At > > > last someone is asking the right questions. > > > > > >My view is that > > > one should ideally *never* try to carry out a disk > > >imaging > > in > > > > > >place on a suspect computer. > > > > Yes, you are right, but you > > > know it is not possible in many cases. > > > > >I would go equipped > > > with a dedicated clean > > >"imager" PC onto which the suspect drive > > > can be connected. This need be > > >no more than a simple PC with a > > > spare IDE (and possibly a spare SCSI) > > >port and a power cable > > > splitter. As it would never be used for anything > > other > > >than > > > imaging, it could be kept clean and certified. > > > > This is the > > > right place for the next "right" question: > > > > > > > What is the "clean and certified" computer? > > > > Computer > > > > > > > is > > > allways "sophistical" machine and each program, driver, > > system,... > > > > > must be cerified to clearly state that all computer is cerified. > > > > > Certification in forensic science is not only technical, > > but the > > > juridical proces. I have some (not pleasant) experience with > > > > > certification ;-( > > The best way for success cetification (no matter > > > what certificaction > > criteria you have) > > is to certificate as > > > simple device as possible. For this reason I have > > next (may be) > > > "right" question: > > > > Why a HW disk imaging tools (HW disk > > > duplicators) are not used? > > > > They have all advantages (except > > > price ;-). > > Simplicity, speed, safety, electronic signature, they > > > need not so high > > qualify oeration and handling... > > > > > > > > > > >Michael D. Barwise, BSc, IEng, MIIE > > >Computer Security Awareness > > > > > >tel +44 (0)1442 266534 > > > > > >http://www.ComputerSecurityAwareness.com > > > > > >Addressing the > > > Human Equation in Information Security > > > > > > > ____________________________________ > > Marian Svetlik > > Principal > > > Consultant > > > > Risk Analysis Consultants > > Narodni 9, 110 > > > 00 Praha 1 > > Czech Republic > > > > Tel.: +420 2 220 75 352 > > > Fax: > > > +420 2 242 28 273 > > mail: svetlikat_private > > > +http://www.rac.cz > > > > > > > > > Michael D. Barwise, BSc, IEng, MIIE > > Computer Security Awareness > > tel +44 (0)1442 266534 > > http://www.ComputerSecurityAwareness.com > > > > Addressing the Human Equation in Information Security > > > > ----------------------------------------------------------------- > > > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: > > > > http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 09:52:23 PDT