Hmm. . . I've been reading through this thread . . . maybe I've gotten lost somewhere. I'll just babble a bit; 1) There are the unix for win32 tools availabe. However, I would not recommend using this for data forensics analysis UNLESS you have tested and verified that they do not change the evidence. My thinking here is you're still relying on the ol' beast - the operating systems, a win32 environment. Plus, if you're looking to use these commands, then why not use them in their natural environment. 2) The source code for these commands can be viewed. You can read what is happening when you issue a command (whether, mount, script, strings, strace, dd, md5sum, tee, stat, dumpe2fs, fdisk, sfdisk, sdd, etc.). 3) As already mentioned you can mount the volume with various flags set so as to avoid altering the evidence (flags such as '-o ro,noexec,noatime'). Further, you can control your *nix system so that devices are not recognized automatically, but only manually (automounter, fstab, etc.). 4) Matt is correct. If you look at the image created by EnCase it is not a true and accurate image. May be twisting words here, but EnCase embeds information within the EnCase image. Ever try to find the partition table in an EnCase image? (Safeback also embeds data) Using 'dd' will create a true and accurate image. 5) As for Matt's idea of taking an EnCase image and creating a flat image from it . . . I believe the public will soon have access to such a tool. Currently only beta testers do. maybe this helps? farmerdude ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 06:34:38 PST