RE: Encase and data recovery

From: Matt Pepe (mtpepe@code-monks.com)
Date: Tue Mar 19 2002 - 06:43:23 PST

Next message: Matt Pepe: "Re: Suggestions for research"

Previous message: Yuri Demchenko: "Re: Suggestions for research"
In reply to: Michael D. Barwise, BSc, IEng, MIIE, MBCS: "RE: Encase and data recovery"
Next in thread: Fergus Cameron: "Re: Encase and data recovery"
Next in thread: Lee, Robert T.: "RE: Encase and data recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Absolutely! I agree.  The hardware that is currently on the market will only 
do a direct disk to disk dupe. The most ideal solution would emulate the 
behavior of our software tools and store the image as a file (or a series of 
files) on the destination media. Going on a search or raid and getting a ratio 
of 1:1, that is, one image to one destination media is cost-prohibitive, as 
well as a duplication of effort, as the duplicate must be imaged again for 
storage and analysis (depending on your analysis method of choice).
Building a device that can do this with built-in physical write protection 
would be a good project, I think.

-- Matt


Quoting "Michael D. Barwise, BSc, IEng, MIIE, MBCS" 
<mikeat_private>:

> Sorry to butt in- hope it's OK.
> 
> For this very reason (uncertainty of image accuracy), I have been 
> lobbying for ages for a dedicated imaging system which does not rely 
> on an *operating system* or *architecture*. It's a ridiculously 
> simple problem to solve (probably a few kB of code and a couple of 
> interface cards).
> 
> On 25th Jun 2001 I sent this to the forensics digest, and I still 
> believe it's the right answer.
> ------------------------
> My ideal disk copier would be a very basic PC, probably one of those
> compact industrial single-board ones, with a truly blank target disk 
> and a spare port, running nothing except a custom-written native 
> application which does nothing except read literal sectors from one 
> hard disk to another (no OS). This application would be booted from 
> floppy disk to start the copy process. The required code, if written 
> in assembler, would be so small that it *could* be verified and 
> certified by anyone competent to read the source code.
> --------------------------
> The code could alternatively be ROM-based.
> 
> So a dedicated tool that does just this job and has no other 
> function, which is simple enough to explain to the non-technical 
> would solve this once and for all.
> 
> Michael D. Barwise, BSc, IEng, MIIE, MBCS
> Computer Security Awareness
> tel +44 (0)1442 266534
> http://www.ComputerSecurityAwareness.com
> 
> Addressing the Human Equation in Information Security
> 

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Matt Pepe: "Re: Suggestions for research"
Previous message: Yuri Demchenko: "Re: Suggestions for research"
In reply to: Michael D. Barwise, BSc, IEng, MIIE, MBCS: "RE: Encase and data recovery"
Next in thread: Fergus Cameron: "Re: Encase and data recovery"
Next in thread: Lee, Robert T.: "RE: Encase and data recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 07:39:25 PST