Re: Tracks covered pretty well...

From: Ed Shirley (thewthrmanat_private)
Date: Wed Sep 05 2001 - 06:52:49 PDT

Next message: Dave Dittrich: "Re: Tracks covered pretty well..."

Previous message: Matt Block: "RE: File recovery utilities"
In reply to: Michael H. Warfield: "Re: Tracks covered pretty well..."
Next in thread: Dave Dittrich: "Re: Tracks covered pretty well..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks to all who responded.  I was perhaps not clear
about the point that the file system and most of the
benign files were intact, ruling out the bulk magnetic
eraser.  The unallocated filespace and slack were not
overwritten with zeros or ones or ~s or whatever,
which made it look like a scrubber program had not
been used.  the drive looks pretty normal.  I guess I
was just looking for marks left by a tool I was not
familiar with so I could go "AHA!" and feel like a big
shot.

I believe that the suggestion that the disk was imaged
and then blown down to a different drive is more
likely than any sophisticated manual file-scrubbing,
since this guy was a bean counter by trade and not a
geek.  I thought it even more probable that he had
downloaded a (not-necessarily free) tool that did it
for him except for one clue.  

This happened to be a laptop hard disk and the
mounting bracket had 2 tiny torx screws and 2 phillips
screws holding on the adapter.  When I received the
box for the re-image, the torx screws were gone and
the bracket was held on by only the two phillips
screws.  I smelled a rat and it looks like this may
have been the tool-marks I was looking for.  the drive
was removed and imaged by some geek friend of the perp
who munged up the torx screws.  They then blew down
the image to either a new drive or the
completely-sterilized original drive.  

I feel better at least having a theory.  The guy is
nailed to the nth and I don't have to be too concerned
about it.  I was thinking further down the road if
similar circumstances come up again.

Thanks, 
Ed

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dave Dittrich: "Re: Tracks covered pretty well..."
Previous message: Matt Block: "RE: File recovery utilities"
In reply to: Michael H. Warfield: "Re: Tracks covered pretty well..."
Next in thread: Dave Dittrich: "Re: Tracks covered pretty well..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 09:59:35 PDT