Actually Bob, the questions you raise as possible issues in court can be easily addressed when using any of the imaging tools available to us: 1. You said "The evidence you present must be able to stand up to a defense attorney asking you to explain exactly how linux moves the data from one disk to another, and how you know that nothing could have gone wrong with that process." Recent court rulings have established that as an examiner/user of the software, I don't have to know HOW the program/tool/application moves the data, only that it does so in a forensically sound manner. I know the tools I use do this as I have tested them in my lab BEFORE I needed to use them on a case. Additionally, I also use hashing algorithms EVERY TIME to verify that the process was completed successfully. 2. You said "How do you know that the data that ends up on the target drive isn't stuff that was already there from a previous investigation, instead of his client's data?" I know this because I use a wipe utility EVERY TIME before I burn an image to my hard disk. Again, I tested the utility in the lab to verify that it does what it is advertised to do. 3. You ask "Have you reviewed the code personally? Are you an expert on operating system design? Can you explain why Linux has a history of introducing new file systems because of problems with the old ones? Review the code? Wouldn't know what I was looking at if you showed it to me. However, as I said before I don't need to know how to write or interpret code to know that a utility does or does not work. I test my tools, I verify that they do or do not work. If they don't work, I don't use them, no problem. The courts uphold this. 4. You ask "How about the virtual memory system? Have you reviewed the code for it? How do you know the VM system didn't overwrite the disk buffers with old data from unused sectors on its own boot drive, inserting stuff that was actually left over from an old investigation that the old drive had been used in?" Again, I start with a clean hard disk each and every time I need to image a subject's disk. Period. There isn't anything to insert, and I'd know if that happened because I hash the drive and compare the result with the image hash result. SA Craig R. Verkerke U.S. Department of Energy Office of Inspector General Technology Crimes Section 1000 Independence Ave, SW (IG-24) Washington, D.C. 20585 (202) 586-5638 (202) 586-8104 (fax) craig.verkerkeat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 10:14:34 PDT