RE: Preserving evidence

From: Matt Pepe (mtpepe@code-monks.com)
Date: Wed May 15 2002 - 13:32:10 PDT

Next message: William Salusky: "Re: Server with RAID-5"

Previous message: William Salusky: "Re: Server with RAID-5"
In reply to: Bojan Zdravkovic: "RE: Preserving evidence"
Next in thread: T.Stoddart: "ghost problems"
Reply: T.Stoddart: "ghost problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think that may be the wrong question to ask.  A better one would be "Is 
this tool appropriate for use during an investigation, and does it complete 
it's task in a forensically sound manner?"

To that, the answer is in the first paragraph of the very page that you 
quoted of the Knowledge Base for Ghost.  This explains the "why" behind 
the mismatched checksums.

"Normally, Ghost does not create an exact duplicate of a disk. Instead, 
Ghost recreates the partition information as needed and copies the 
contents of the files. " - Symantec Web Site
(http://service2.symantec.com/SUPPORT/ghost.nsf/
c92aa8e61de62ad08825694a0011cf3b/
42197b3bb06643dac1256b040044ef7f?OpenDocument)

An investigator would not want to use Norton Ghost as a solution for 
forensic duplication, as it does not provide a true bit for bit copy of the 
original.  That evidence, when presented in front on educated counsel, 
would likely get thrown out, as it does not adhere to the FRE 1003 
exception for the requirement of originals.  There, of course, is a chance 
that it will slip by, but hedging your bet on that chance would likely be 
disappointing in the end.

To answer your question more directly, yes, there will likely be problems. 
Of course, your question could have been written after the fact, with you 
heading in to a courtroom 2 days from now.  If so, good luck. I suggest 
getting a friend to pull the fire alarm when the topic is brought up.
 :)

-- Matt

> 
> 
> *********************
> "When copying a disk to another disk, a checksum of the destination
> disk
> will nearly always result in a different value than a checksum of the
> original disk, even when using the -IR switch. This difference is due
> to
> differences in disk geometry between the source and destination
> disks."
> ********************
> 
> The information above came from Symantec's knowledge base.  Has 
anyone
> found this to be a problem in Court?
> 
> TIA
> Jeff
> 
> 
> 
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: William Salusky: "Re: Server with RAID-5"
Previous message: William Salusky: "Re: Server with RAID-5"
In reply to: Bojan Zdravkovic: "RE: Preserving evidence"
Next in thread: T.Stoddart: "ghost problems"
Reply: T.Stoddart: "ghost problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 16 2002 - 04:11:55 PDT