> -----Original Message----- > From: Stephen Samuel [mailto:samuelat_private] > Sent: Thursday, April 03, 2003 10:30 AM > To: forensicsat_private; jcreyesat_private > Subject: Re: Linux, dd, and image file > > > One problem with imaging each partition is that you may miss > some pertinent information. The partitions don't always > encompas the entire disk, and a knowledgable intruder might > store info in the inter-partition spaces. (one example > includes a recent to-do about some Windows Tax software that > stored copy-protection information in unused portions of the > boot track) > A knowledgable investigator might image the inter-partition spaces (and pre-/post-partition spaces), as well as the partitions. :) Cory Altheide Computer Forensics Specialist NCI Information Systems, Inc. NNSA Cyber Forensics Center altheidecat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 16:14:40 PDT