From: "J. J. Horner" <jhornerat_private> >1. Any problems in imaging a SCSI drive to an IDE drive? If >the SCSI bus is significantly faster, will I encounter errors trying >to write to an IDE33/66 drive? Any issues that prompt people to >image to same-bus drives? dd is my friend. Data is data. Unless you want to do something like: dd if=/dev/sda of=/dev/sdb with identical drives which would result in a nice copy to work with. The only other thing that comes to mind are those older machines with drive overlay software (ech) which would probably cause you grief. >2. I'm considering a forensic setup where I have a headless >PC-type machine for mounting the drives (linux), with a laptop >providing interaction through the serial port via null-modem cable. >Anything to consider using this setup? I would put a head on it, you will want to access the BIOS probably, and I would reccomend a totally minimal boot. Attaching a drive containing evidence to a Linux system that is say on the network and you later discover contains a security hole could cast some doubt on the evidence (did someone login and tamper with it?). Same goes for moving data over networks, modifying nfs/samba traffic on the fly is possible. Use encryption and cryptographically secure checksums like SHA1! >3. Any other good books on the forensics process I should know about? >I've got O'Reilly's book, but haven't read it yet. I've read >"Basic Steps in Forensic Analysis of Unix Systems", and sometimes >re-read parts of it. If you've mentioned books or papers on the >list before, don't mention them again. I'll search the archive. There are several new forensics books but I haven't had time to look at them, but two of the new ones look good (cover tech, where people hide evidence/etc) but tend to be windows/workstatsion centric. The coroners toolkit has some great documentation. >4. Any current members of incident teams: any good public >records that relate to testifying, evidence handling, or >court hearings available would be good. I'd like to see >what a court appearance is like for a forensic examiner. Me too =) Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 03:28:38 PDT