Hi Patrick Your approach would certainly make sense if [1] you knew exactly what you were looking for [2] the files were still "current" i.e. not deleted &c. The problem really arises when the forensically relevant data are in deleted files or slack space in used clusters/sectors. Then, you have two problems: [a] the native file system cannot deliver the data for analysis [b] VM and temp file usage may destroy the data while you are examining the drive Hence the need to *do nothing* to the original except read sectors onto another medium. The various levels of paranoia needed when making an image have been well covered in this thread, and there are obviously several different opinions based on personal experience. Forensics is not an exact science, as it is about making highly technical issues accessible to non- technical minds with an axe to grind! Michael D. Barwise BSc, IEng, MIIE Computer Security Awareness "Addressing the Human Equation in Information Security" > From: pat.beardmoreat_private > Date sent: Tue, 3 Jul 2001 09:42:09 +0100 > Before I give my own opinions, has anyone come across the practice of > previewing a drive and then taking off the relevant files rather than > doing a full image. Does anyone want to comment on the advantages and > disadvantages of this methodology? > > thanks, > > Patrick Beardmore > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 09:52:52 PDT