Quoting Alvin Oga <alvin.secat_private-Consulting.com>: > -- use tar to clone ... you get a safe copy/clone of the master > - if you need a inode-by-inode clone of the master, than > you have no choice but to use dd and hope that your clone > does NOT have a bad block I think you might wish to reconsider this for forensic purposes. Bad blocks are still potentially useful. If a system really wishes to hide information, it can write to a set of blocks, then mark the blocks as bad. Reference: http://www.phrack.org/show.php?p=59&a=6 Furthermore, there are tools available to hide data on a disk. A further interesting example which even DD might have problems with is in my all-time favorite example, in which the Russian spy Hanssen wrote software to hide information in extra sectors on a diskette. See http://news.findlaw.com/cnn/docs/hanssen/hanssenaff022001.pdf for more information. ********************************* Paul Gillingwater, BA, BSc, MBA Managing Director CSO Lanifex Unternehmensberatung & Softwareentwicklung G.m.b.H. NEW BUSINESS CONCEPTS E-mail: paulat_private Tel: +43(1)2198222-20 Fax: +43(1)2198222-11 Mobile: +43(699)1922 3085 Webhome: http://www.lanifex.com/ Address: Praterstrasse 60/1/2 A-1020 Vienna, Austria ********************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 04:52:17 PDT