Re: "Am I ready" and other neat questions

From: Kurt Seifried (bugtraqat_private)
Date: Sun Oct 21 2001 - 18:47:29 PDT

Next message: George M. Garner Jr.: "JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"

Previous message: Darren W. MacDonald: "Recovering data from dynamic disks"
In reply to: J. J. Horner: ""Am I ready" and other neat questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: "J. J. Horner" <jhornerat_private>

>1.  Any problems in imaging a SCSI drive to an IDE drive?  If
>the SCSI bus is significantly faster, will I encounter errors trying
>to write to an IDE33/66 drive?  Any issues that prompt people to
>image to same-bus drives?  dd is my friend.

Data is data. Unless you want to do something like: dd if=/dev/sda
of=/dev/sdb with identical drives which would result in a nice copy to work
with. The only other thing that comes to mind are those older machines with
drive overlay software (ech) which would probably cause you grief.

>2.  I'm considering a forensic setup where I have a headless
>PC-type machine for mounting the drives (linux), with a laptop
>providing interaction through the serial port via null-modem cable.
>Anything to consider using this setup?

I would put a head on it, you will want to access the BIOS probably, and I
would reccomend a totally minimal boot. Attaching a drive containing
evidence to a Linux system that is say on the network and you later discover
contains a security hole could cast some doubt on the evidence (did someone
login and tamper with it?). Same goes for moving data over networks,
modifying nfs/samba traffic on the fly is possible. Use encryption and
cryptographically secure checksums like SHA1!

>3.  Any other good books on the forensics process I should know about?
>I've got O'Reilly's book, but haven't read it yet.  I've read
>"Basic Steps in Forensic Analysis of Unix Systems", and sometimes
>re-read parts of it.  If you've mentioned books or papers on the
>list before, don't mention them again.  I'll search the archive.

There are several new forensics books but I haven't had time to look at
them, but two of the new ones look good (cover tech, where people hide
evidence/etc) but tend to be windows/workstatsion centric. The coroners
toolkit has some great documentation.

>4.  Any current members of incident teams:  any good public
>records that relate to testifying, evidence handling, or
>court hearings available would be good.  I'd like to see
>what a court appearance is like for a forensic examiner.

Me too =)

Kurt Seifried, kurtat_private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/





-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: George M. Garner Jr.: "JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"
Previous message: Darren W. MacDonald: "Recovering data from dynamic disks"
In reply to: J. J. Horner: ""Am I ready" and other neat questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 03:28:38 PDT