Unfortunately, that is not an easy question to answer. Two main points should be considered. One - the validity of the tool. How much use has it seen in the past, does it have (or could have) a known rate of error, are the results of the tool's use repeatable (by itself and other methods), does it have the acceptance by the forensic community. The second is the analyst herself. How much experience does she have with the tool, has she personally tested it (although if the direct employer has done the testing, that seems to be valid), does she use more tools than the one presented (to show knowledge beyond what the tool gives). When it comes down to the actual duplication tool, instead of staying up for 3 more hours writing this post, I will suggest looking up a series of articles written by James Holley (search for James Holley Forensic Tools). He has taken time to do some extensive tests on a handful of the more popular duplication tools available to the general public. The articles are vrey informative and cover each tool in a fair manner - and I'm not just saying that because he won boxing tournaments in college. :) -- Matt As a complete side note, Please don't be fooled when reading claims by certain marketing departments when they overstate their importance or relavence to the field. It is indeed frustrating when grossly inaccurate statements are made suggesting the inadmissability of software selling for less than $2000. Quoting Craig La Vallee <clavalleeat_private>: > So what would you suggest Matt? > > Thanks > craig > > -----Original Message----- > From: Matt Pepe [mailto:mtpepe@code-monks.com] > Sent: Wednesday, May 15, 2002 4:32 PM > To: Jeff Truedson > Cc: FORENSICSat_private > Subject: RE: Preserving evidence > > > I think that may be the wrong question to ask. A better one would be > "Is > this tool appropriate for use during an investigation, and does it > complete > it's task in a forensically sound manner?" > > To that, the answer is in the first paragraph of the very page that you > > quoted of the Knowledge Base for Ghost. This explains the "why" behind > > the mismatched checksums. > > "Normally, Ghost does not create an exact duplicate of a disk. Instead, > > Ghost recreates the partition information as needed and copies the > contents of the files. " - Symantec Web Site > (http://service2.symantec.com/SUPPORT/ghost.nsf/ > c92aa8e61de62ad08825694a0011cf3b/ > 42197b3bb06643dac1256b040044ef7f?OpenDocument) > > An investigator would not want to use Norton Ghost as a solution for > forensic duplication, as it does not provide a true bit for bit copy > of > the > original. That evidence, when presented in front on educated counsel, > > would likely get thrown out, as it does not adhere to the FRE 1003 > exception for the requirement of originals. There, of course, is a > chance > that it will slip by, but hedging your bet on that chance would likely > be > disappointing in the end. > > To answer your question more directly, yes, there will likely be > problems. > Of course, your question could have been written after the fact, with > you > heading in to a courtroom 2 days from now. If so, good luck. I suggest > > getting a friend to pull the fire alarm when the topic is brought up. > :) > > -- Matt > > > > > > > ********************* > > "When copying a disk to another disk, a checksum of the destination > > disk > > will nearly always result in a different value than a checksum of > the > > original disk, even when using the -IR switch. This difference is > due > > to > > differences in disk geometry between the source and destination > > disks." > > ******************** > > > > The information above came from Symantec's knowledge base. Has > anyone > > found this to be a problem in Court? > > > > TIA > > Jeff > > > > > > > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 17 2002 - 03:26:54 PDT