RE: Linux, dd, and image file

From: Altheide, Cory B. (AltheideCat_private)
Date: Fri Apr 04 2003 - 08:55:46 PST

Next message: Darren Welch: "e-discovery"

Previous message: R Andersson: "Re: Problem with mounted vfat image"
Maybe in reply to: Sabol, Paul: "Linux, dd, and image file"
Next in thread: Paul Hoyt Nelson: "Re: Linux, dd, and image file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Stephen Samuel [mailto:samuelat_private] 
> Sent: Thursday, April 03, 2003 10:30 AM
> To: forensicsat_private; jcreyesat_private
> Subject: Re: Linux, dd, and image file
> 
> 
> One problem with imaging each partition is that you may miss 
> some pertinent information.  The partitions don't always 
> encompas the entire disk, and a knowledgable intruder might 
> store info in the inter-partition spaces. (one example 
> includes a recent to-do about some Windows Tax software that 
> stored copy-protection information in unused portions of the 
> boot track)
> 

A knowledgable investigator might image the inter-partition spaces (and
pre-/post-partition spaces), as well as the partitions. :)

Cory Altheide
Computer Forensics Specialist
NCI Information Systems, Inc.
NNSA Cyber Forensics Center
altheidecat_private


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Darren Welch: "e-discovery"
Previous message: R Andersson: "Re: Problem with mounted vfat image"
Maybe in reply to: Sabol, Paul: "Linux, dd, and image file"
Next in thread: Paul Hoyt Nelson: "Re: Linux, dd, and image file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 16:14:40 PDT