On 9/12/05, Red Leg <[EMAIL PROTECTED]> wrote: > Hey Thanks! > > Can I use the copy made by dd for the analysis? Specifically... 1)I want to > go to the site, 2)copy the drive, 3)take the copy made back to my location, > 4) restore the data to another drive and mount it to an existing system and > then 5) forensically analyze the restored copy for deleted files. > > Can I use your directions to accomplish that?
What do you mean by "forensically analyze?" dd may[0] make a copy that's good for forensic analysis, but depending on what's on the drive and how you mount it, you may alter things by mounting it. If you're not completely sure of what you're doing[1], you'll want to make a copy of your copy [so restoring to another drive *is* good] if you don't have a hardware write-blocker. You'll also want MD5s or other hashes of the original and the copies to verify that you've got the data. If there is a DCO or HPA then it may impact the value of the image depending on how you intend to use it and how it's acquired. if it's for something that may go to court (including as an unfair dismissal case,) you'll probably want to try to get someone who's done it before to do the analysis of the image, if not the imaging itself[2]. Also, you'll want to keep chain-of-custody documentation for the image and if necessary, the original. I tend to like to make an extra copy onsite and put that back into the system, keeping the original for evidentiary value. If you haven't done it before, practice on a similar target system and verify both your process and your tools end-to-end. Linux's "read-only" mounting of journaled filesystems is an example of why validation is necessary. Paul [0] dcfldd is better at drives with errors and will automatically checksum [1] Uncleanly shut down filesystems, journaling filesystems and fun things like that may impact your ability to mount the image read-only. [2] I have had folks do imaging in the past with tools I've provided, then had them FedEx me the image, but generally only if we think they won't need to testify. -- www.compuwar.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/