Okay since, I wasn't specific enough. The reason to do a full bit by bit copy such as with dd, is that the script kiddies now have tools to hide executables files within the sludge space on the drive. I actually had one machine that was compromised in this manner. The only way I detected it, was a bit by bit read of the drive. if you want to do a quick check on the drive, use tools like ghost(without the full copy option), or rsync, or tape backup, but if you want plan to go to court these will not hold up in court, it's even unknown if dd copies will hold up in court. Though the original drive pulled from the system is more likely to withstand the prosecution. And you will know a computer savvy lawyer, he will ask for the sludge as part of the discovery. jason -------------------------- Actually in my past, I have seen, people running programs out of the sludge, albeit with tools, but it can be done. So hiding with the right number of tools you can do such fun stuff, as hide the process and the corresponding files. Jason On 14 Oct 2002 at 14:25, Volker Tanger wrote: Date sent: Mon, 14 Oct 2002 14:25:48 +0200 From: Volker Tanger <volker.tangerat_private> Organization: DiSCON GmbH To: Alvin Oga <alvin.secat_private-Consulting.com> Copies to: forensicsat_private Subject: Re: More info on dd? > Greetings! > > Alvin Oga wrote: > > > > anyway.. so goes my limited understanding ... > > tar(block/sector level apps ) vs dd(bit level apps ) type of apps > > Ooookay, back to beginnings. We're on "forensics@..." here. > So you will want to have ALL data you can get a hold on/of. > > Quite some evidence can be hidden in (presumedly) deleted files, etc. > (see e.g. the current Scan-of-the-Month at > http://www.honeynet.org/scans/scan24/). > > So for FORENSICS a binary copy is the right choice (e.g. > http://www.wyae.de/docs/img_dd.php) - whereas for FUNCTIONAL cloning > other means will be faster and/or more reliable (e.g. > http://www.wyae.de/docs/img_rsync.php). > > Bye > > Volker Tanger > IT-Security Consulting > > -- > discon gmbh > Wrangelstraße 100 > D-10997 Berlin > > fon +49 30 6104-3307 > fax +49 30 6104-3461 > > volker.tangerat_private > http://www.discon.de/ > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Robertson Now at the Nation Research Council. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 10:03:14 PDT